b'<html>\n<title> - ACCESS DENIED: KEEPING ADVERSARIES AWAY FROM THE HOMELAND SECURITY SUPPLY CHAIN</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n  ACCESS DENIED: KEEPING ADVERSARIES AWAY FROM THE HOMELAND SECURITY \n                              SUPPLY CHAIN\n\n=======================================================================\n\n                               JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                          COUNTERTERRORISM AND\n                              INTELLIGENCE\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                             OVERSIGHT AND\n                         MANAGEMENT EFFICIENCY\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 12, 2018\n\n                               __________\n\n                           Serial No. 115-71\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n      \n      \n         Available via the World Wide Web: http://www.govinfo.gov\n                    \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n34-348 PDF                  WASHINGTON : 2019                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b9dec9d6f9dacccacdd1dcd5c997dad6d497">[email&#160;protected]</a> \n\n\n                               __________\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Sheila Jackson Lee, Texas\nMike Rogers, Alabama                 James R. Langevin, Rhode Island\nLou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana\nScott Perry, Pennsylvania            William R. Keating, Massachusetts\nJohn Katko, New York                 Donald M. Payne, Jr., New Jersey\nWill Hurd, Texas                     Filemon Vela, Texas\nMartha McSally, Arizona              Bonnie Watson Coleman, New Jersey\nJohn Ratcliffe, Texas                Kathleen M. Rice, New York\nDaniel M. Donovan, Jr., New York     J. Luis Correa, California\nMike Gallagher, Wisconsin            Val Butler Demings, Florida\nClay Higgins, Louisiana              Nanette Diaz Barragan, California\nThomas A. Garrett, Jr., Virginia\nBrian K. Fitzpatrick, Pennsylvania\nRon Estes, Kansas\nDon Bacon, Nebraska\nDebbie Lesko, Arizona\n                   Brendan P. Shields, Staff Director\n                    Steven S. Giaier, Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                  Hope Goins, Minority Staff Director\n                                 ------                                \n\n           SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE\n\n                   Peter T. King, New York, Chairman\nLou Barletta, Pennsylvania           Kathleen M. Rice, New York\nScott Perry, Pennsylvania            Sheila Jackson Lee, Texas\nWill Hurd, Texas                     William R. Keating, Massachusetts\nMike Gallagher, Wisconsin            Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Mandy Bowers, Subcommittee Staff Director\n            Nicole Tisdale, Minority Staff Director/Counsel\n                                 ------                                \n\n          SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY\n\n                  Scott Perry, Pennsylvania, Chairman\n                                     J. Luis Correa, California\nJohn Ratcliffe, Texas                Kathleen M. Rice, New York\nClay Higgins, Louisiana              Nanette Diaz Barragan, California\nThomas A. Garrett, Jr., Virginia     Bennie G. Thompson, Mississippi \nRon Estes, Kansas                        (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n               Diana Bergwin, Subcommittee Staff Director\n      Erica D. Woods, Interim Subcommittee Minority Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Peter T. King, a Representative in Congress From \n  the State of New York, and Chairman, Subcommittee on \n  Counterterrorism and Intelligence:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Kathleen M. Rice, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Counterterrorism and Intelligence:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Scott Perry, a Representative in Congress From the \n  State of Pennsylvania, and Chairman, Subcommittee on Oversight \n  and Management Efficiency:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     6\nThe Honorable J. Luis Correa, a Representative in Congress From \n  the State of California, and Ranking Member, Subcommittee on \n  Oversight and Management Efficiency:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     8\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     9\n\n                               WITNESSES\n                                Panel I\n\nMs. Soraya Correa, Chief Procurement Officer, Office of the Chief \n  Procurement Officer, U.S. Department of Homeland Security:\n  Oral Statement.................................................    10\n  Joint Prepared Statement.......................................    12\nMr. John Zangardi, Chief Information Officer, Office of the Chief \n  Information Officer, U.S. Department of Homeland Security:\n  Oral Statement.................................................    15\n  Joint Prepared Statement.......................................    12\nMs. Jeanette Manfra, Assistant Secretary, Office of Cybersecurity \n  and Communications, National Protection and Programs \n  Directorate, U.S. Department of Homeland Security:\n  Oral Statement.................................................    17\n  Joint Prepared Statement.......................................    12\n\n                                Panel II\n\nMr. Gregory C. Wilshusen, Director of Information Security \n  Issues, Government Accountability Office:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    20\n\n                                APPENDIX\n\nQuestion From Chairman Scott Perry for the Department of Homeland \n  Security.......................................................    39\nQuestions From Honorable James R. Langevin for the Department of \n  Homeland Security..............................................    39\nQuestions From Honorable Ron Estes for Gregory C. Wilshusen......    48\n\n \n  ACCESS DENIED: KEEPING ADVERSARIES AWAY FROM THE HOMELAND SECURITY \n                              SUPPLY CHAIN\n\n                              ----------                              \n\n\n                        Thursday, July 12, 2018\n\n       U.S. House of Representatives,      \n        Committee on Homeland Security,    \nSubcommittee on Counterterrorism and Intelligence, \n                                                and\n                             Subcommittee on Oversight and \n                                     Management Efficiency,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to notice, at 10:05 a.m., \nin room HVC-210, Capitol Visitor Center, Hon. Peter King \n[Chairman of the Subcommittee on Counterterrorism and \nIntelligence] presiding.\n    Present: Representatives King, Perry, Hurd, Donovan, Rice, \nCorrea, Barragan, and Keating.\n    Mr. King. Good morning. The Committee on Homeland Security \nSubcommittees on Counterterrorism and Intelligence and \nOversight and Management Efficiency will come to order.\n    The subcommittees are meeting today in a joint hearing to \nexamine threats in the Department of Homeland Security\'s supply \nchain and assess tools and authorities for DHS to mitigate \nthose threats. I now recognize myself for an opening statement.\n    There is no question that nation-states and criminal actors \nare constantly trying to exploit U.S. Government and private-\nsector systems to steal information or insert potentially \nharmful hardware or software. The recent cases involving \nKaspersky, ZTE, and Huawei underscore the threats posed to the \nFederal supply chain and the urgency in developing stronger \nmechanisms to secure it.\n    In March 2017, the Office of the Director of National \nIntelligence, ODNI, released a background paper on the supply \nchain risk management, stating: ``Even as the U.S. Government \nand private sector have implemented programs to mitigate and \ncounter supply chain threats, the evolution of directed, \nsophisticated, and multifaceted threats threatens to outpace \nour countermeasures. Traditional remedies such as trade \nagreements, economic sanctions, and legal actions are \nreactionary in nature and cannot keep pace with the evolution \nof threats.\'\'\n    The Federal Government is behind the curve in establishing \nrobust supply chain security measures. It is clear that \nadditional tools, policies, resources, and legal authorities \nare urgently needed to address this challenge. I am pleased \nthat the White House released a legislative proposal on Tuesday \ndeveloped through the interagency process that was initiated in \nApril.\n    The proposal seeks to strengthen SCRM\'s efforts across the \nGovernment, enhance information sharing, and harden the Federal \nprocurement process to identify and mitigate threats. \nAdditionally, I want to highlight that DHS is making great \nstrides to implement SCRM measures throughout the Department.\n    Last year, DHS issued policy directives for high-value \nassets requiring that all DHS components develop and implement \nSCRM strategies for sensitive payments, educate and train staff \nand contractors about supply chain risks, and enforce good \nsupply chain hygiene by establishing contractual requirements \nand audit mechanisms for suppliers.\n    The purpose of today\'s hearing is to review current \ncapabilities and authorities and assess whether additional \nauthorities are needed to better protect the Department of \nHomeland Security\'s supply chain.\n    The Department of Defense and the intelligence community \nhave existing authorities to block certain procurement efforts \nif security risks are identified. Even now, more is being done \nto protect our sensitive supply chain. The recently-passed \nNational Defense Authorization Act enhances DOD\'s authorities, \nand the Intelligence Authorization Act which is on the floor \ntoday further strengthens the intelligence community\'s SCRM \ntoolkit.\n    As a National security agency, it is vital that DHS also \nhave robust supply chain risk management practices and tools to \nidentify, mitigate, and remove potential threats to our systems \nand contracts. In addition to reviewing the OMB proposal, both \nsubcommittees are working on specific legislation to provide \nDHS with similar SCRM authorities to DOD.\n    At the end of the day, the ability of any agency to address \nsupply chain risk survives on a robust intelligence framework. \nThe foundation of any SCRM program is the ability to \nproactively identify entities seeking to exploit the DHS \nacquisition process, become trusted vendors, and then steal \nfrom or otherwise harm the Homeland Security enterprise.\n    In order to fully understand DHS intelligence SCRM \ncapabilities and specific threats to the supply chain, I expect \nthat after an initial round of questions in the open session, \nwe move to a closed session to better discuss those issues.\n    I again want to thank the witnesses for being here and \nexpress appreciation for Chairman Perry and Ranking Member \nCorrea for working with us on this joint hearing.\n    [The statement of Chairman King follows:]\n                  Statement of Chairman Peter T. King\n                             July 12, 2018\n    There is no question that nation-states and criminal actors are \nconstantly trying to exploit U.S. Government and private-sector systems \nto steal information or insert potentially harmful hardware or \nsoftware. The recent cases involving Kaspersky, ZTE, and Huawei \nunderscore the threats posed to the Federal supply chain and the \nurgency in developing stronger mechanisms to secure it.\n    In March 2017, the Office of the Director of National Intelligence \n(ODNI) released a background paper on the supply chain risk management \nstating: ``Even as the U.S. Government and private sector have \nimplemented programs to mitigate and counter supply chain threats, the \nevolution of directed, sophisticated, and multifaceted threats \nthreatens to outpace our countermeasures. Traditional remedies such as \ntrade agreements, economic sanctions, and legal actions are reactionary \nin nature and cannot keep pace with the evolution of threats.\'\'\n    The Federal Government is behind the curve in establishing robust \nsupply chain security measures. It is clear that additional tools, \npolicies, resources, and legal authorities are urgently needed to \naddress this challenge.\n    I am pleased that the White House released a legislative proposal \non Tuesday developed through the interagency process initiated in \nApril. The proposal seeks to strengthen SCRM efforts across the \nGovernment, enhance information sharing, and harden the Federal \nprocurement process to identify and mitigate threats.\n    Additionally, I want to highlight that DHS is making great strides \nto implement SCRM measures throughout the Department. Last year, DHS \nissued policy directives for high-value assets requiring that all DHS \ncomponents develop and implement SCRM strategies for sensitive systems, \neducate and train staff and contractors about supply chain risks, and \nenforce good supply chain hygiene by establishing contractual \nrequirements and audit mechanisms for suppliers.\n    The purpose of today\'s hearing is to review current capabilities \nand authorities and assess whether additional authorities are needed to \nbetter protect the Department of Homeland Security\'s supply chain.\n    The Department of Defense and the intelligence community have \nexisting authorities to block certain procurement efforts if security \nrisks are identified. Even now, more is being done to protect their \nsensitive supply chain. The recently-passed National Defense \nAuthorization Act enhances DOD\'s authorities and the Intelligence \nAuthorization Act, on the Floor today, further strengthens the \nintelligence communities SCRM toolkit. As a National security agency, \nit is vital that DHS also have robust supply chain risk management \npractices and tools to identify, mitigate, and remove potential threats \nto its systems and contracts.\n    In addition to reviewing the OMB proposal, both subcommittees are \nworking on specific legislation to provide DHS with similar SCRM \nauthorities to DOD. At the end of the day, the ability of any agency to \naddress supply chain risk survives on a robust intelligence framework.\n    The foundation of any SCRM program is the ability to proactively \nidentify entities seeking to exploit the DHS acquisition process, \nbecome trusted vendors, and then steal from or otherwise harm the \nhomeland security enterprise.\n    In order to fully understand current DHS intelligence SCRM \ncapabilities and specific threats to the supply chain, I expect that \nafter an initial round of questions in the open session we will move \ninto a closed session to better discuss those issues.\n    I again want to thank the witnesses for being here and express \nappreciation for Chairman Perry and Ranking Member Correa for working \nwith us on this joint hearing.\n\n    Mr. King. I am pleased to recognize the Ranking Member of \nthe Subcommittee on Counterterrorism and Intelligence, the \ngentlelady from New York, Miss Rice, for her opening statement.\n    Miss Rice. Thank you, Chairman King and Chairman Perry, for \nholding this important hearing, and thank you to the witnesses \nfor coming to testify today.\n    The Department of Homeland Security has the enormous \nresponsibility of securing the Federal Government\'s vast supply \nchain, particularly information technology, from a wide variety \nof foreign threats. Today the most pressing threats come from \nChinese and Russian IT companies that until recently were used \nwidely throughout the United States and by several Federal \nagencies. For example, last year we learned that the Russian \ncybersecurity company Kaspersky Lab was operating compromised \nantivirus software on U.S. Government computers. Despite being \na long-time Government vendor, the FBI had reason to believe \nthe Kaspersky programs contained back doors that could be \naccessed by Russian intelligence. Thankfully, DHS acted to wipe \nthe software from all Government systems.\n    Additionally, Members of Congress have long been warned \nthat the Chinese telecommunications companies Huawei and ZTE \nalso pose risks to our National security. ZTE and Huawei are \ntwo of the world\'s largest telecommunication companies and were \nused widely in the United States. However, the companies have \nclose ties to the Chinese Government and were believed to be \npossible vehicles for cyber threat and espionage.\n    In 2016, we imposed stiff penalties on ZTE for violating \nU.S. sanctions by making hundreds of shipments of \ntelecommunications equipment made with U.S. parts to Iran, \nSudan, North Korea, Syria, and Cuba. After yet another breach \nin April, ZTE faced additional U.S. penalties, including a ban \non U.S. suppliers selling equipment to ZTE. The following \nmonth, both ZTE and Huawei were also banned from being sold on \nU.S. military bases.\n    These bans were not only warranted but, in my opinion, long \noverdue. These companies and their government clearly pose a \nthreat to our National security and we had a responsibility to \nact, which makes the actions of President Trump all the more \nsurprising. It appears President Trump has placed his own \nbusiness interests above our National security. Not long after \na soon-to-be Trump-branded resort in Indonesia received loans \nfrom the Chinese Government, the President tweeted a promise to \nsave ZTE from the punishing penalties. Just yesterday, the \nTrump administration and the Chinese Government signed an \nagreement to end the ban on U.S. exports to ZTE.\n    The President\'s lack of candor and leadership on this \nissue, coupled with the urgent threats facing our supply \nchains, calls for the Federal Government to develop a \ncomprehensive strategy to protect our supply chains from \nforeign threats. During this hearing, I hope to learn more \nabout what the Department of Homeland Security is doing to \nadvance their counterintelligence programs, specifically with \nthe proposed use of section 806 authority.\n    I think it is also important that we know whether the White \nHouse is playing an active role in coordinating supply chain \nsecurity across the Federal Government. But most importantly, \nthis committee needs to know what additional resources and \nsupport are needed by supply chain risk management programs to \ncarry out its mission effectively. As I understand, there are \nonly two employees dedicated to the SCRM program, which seems \ncompletely inadequate, given the task ahead.\n    It is time that we finally listen to the intelligence \ncommunity and create a comprehensive strategy to counter the \nmounting threats facing our supply chains. I look forward to \nhearing from our witnesses today and I do hope this will be a \nconstructive conversation. Thank you, Mr. Chairman.\n    [The statement of Ranking Member Rice follows:]\n\n               Statement of Ranking Member Kathleen Rice\n\n                             July 12, 2018\n\n    The Department of Homeland Security has the enormous \nresponsibility of securing the Federal Government\'s vast supply \nchain--particularly information technology--from a wide variety \nof foreign threats. Today, the most pressing threats come from \nChinese and Russian IT companies, that until recently were used \nwidely throughout the United States and by several Federal \nagencies.\n    For example, last year we learned that the Russian \ncybersecurity company Kaspersky Lab was operating compromised \nanti-virus software in U.S. Government computers. Despite being \na long-time Government vendor, the FBI had reason to believe \nthe Kasperksy programs contained back doors that could be \naccessed by Russian intelligence. Thankfully, DHS acted to wipe \nthe software from all Government systems. Additionally, Members \nof Congress have long been warned that the Chinese \ntelecommunications companies Huawei and ZTE also posed risks to \nour National security.\n    ZTE and Huawei are two of the world\'s largest \ntelecommunications companies and were used widely in the United \nStates. However, the companies have close ties to the Chinese \ngovernment and were believed to be possible vehicles for cyber \ntheft and espionage.\n    In 2016, we imposed stiff penalties on ZTE for violating \nU.S. sanctions by making hundreds of shipments of \ntelecommunications equipment made with U.S. parts to Iran, \nSudan, North Korea, Syria, and Cuba. After yet another breach \nin April, ZTE faced additional U.S. penalties, including a ban \non U.S. suppliers selling equipment to ZTE. The following month \nboth ZTE and Huawei were also banned from being sold on U.S. \nmilitary bases. These bans were not only warranted but, in my \nopinion, long overdue. These companies and their Government \nclearly pose a threat to our National security and we had a \nresponsibility to act.\n    Unsurprisingly however, President Trump appears to have \nplaced his own business interests above our National security. \nNot long after a soon-to-be Trump-branded resort in Indonesia \nreceived loans from the Chinese government, the President \nTweeted a promise to save ZTE from the punishing penalties. \nJust yesterday, the Trump administration and the Chinese \ngovernment signed an agreement to end the ban on U.S. exports \nto ZTE.\n    The President\'s lack of candor and leadership on this \nissue, coupled with the urgent threats facing our supply \nchains, calls for the Federal Government to develop a \ncomprehensive strategy to protect our supply chains from \nforeign threats.\n    During this hearing, I hope to learn more about what the \nDepartment of Homeland Security is doing to advance their \ncounterintelligence programs specifically with the proposed use \nof Section 806 authority. I also want to know whether the White \nHouse is playing an active role in coordinating supply chain \nsecurity across the Federal Government.\n    But most importantly, this committee needs to know what \nadditional resources and supports are needed by the Supply \nChain Risk Management program to carry out its mission \neffectively. As I understand, there are only two employees \ndedicated to the SCRM Program. That seems completely inadequate \ngiven the task ahead. It is time that we finally listen to the \nintelligence community and create a comprehensive strategy to \ncounter the mounting threats facing our supply chains.\n\n    Mr. King. Thank you, Miss Rice.\n    I now recognize the Chairman of the Subcommittee on \nOversight and Management Efficiency, Mr. Perry, for an opening \nstatement.\n    Mr. Perry. Thank you, Mr. Chairman.\n    Good morning. I thank you, Chairman King, for holding this \nhearing today and including the Oversight and Management \nEfficiency Subcommittee in this very important timely \ndiscussion on the Department of Homeland Security\'s efforts to \nsecure its supply chain.\n    In today\'s interconnected world, the Federal Government is \nincreasingly reliant on the procurement of products and \nservices with supply chains that originate from outside our \nborders. DHS is no exception. Global supply chains are integral \nto the Department\'s ability to carry out the mission of \nsecuring the homeland. However, recent incidents involving \nGovernment contractors and foreign-based suppliers, like \nKaspersky Lab, ZTE, and Huawei, have shed light on the security \nrisks associated with the global nature of supply chains. \nPotential threats to international supply chains, ranging from \ninterference by foreign adversaries to poor product \nmanufacturing practices, present a unique and complex challenge \nfor both DHS and National security.\n    To assess and counter supply chain threats, organizations \nemploy supply chain risk management strategies which leverage \nrisk assessments to neutralize threats associated with the \nglobal and distributed nature of modern supply chains. Risk \nassessments are made by utilizing open- and closed-source \nresearch, to allow organizations to better understand their \nsupply chain and identify the threats specific to it. To assist \nthe Federal Government in this effort, the National Institute \nfor Standards and Technology has released Government-wide best \npractices for agencies to use as a model for their own supply \nchain risk management strategies.\n    Agencies like DHS rely on contracts for products and \nservices to carry out their daily operations. As such, in the \ncase of the Department, ensuring supply chain security is \nintrinsic to the mission of ensuring National security. \nUnfortunately, given the threat environment, I too am concerned \nthat the Department does not currently possess the sufficient \ntools to effectively carry out supply chain risk management.\n    Under the regulations governing Federal procurements, DHS \nmaintains limited authority to terminate procurement contracts \nfor unforeseen circumstances and to bar irresponsible entities \nfrom doing future business with the Federal Government for up \nto 3 years.\n    Additionally, the Federal Information Security \nModernization Act of 2014 granted the Department the authority \nto issue binding operational directives, which are compulsory \norders for Federal agencies to take action to safeguard \ninformation in IT systems when a security vulnerability has \nbeen identified. Unfortunately, these authorities are generally \nviewed as reactive measures that open the Department up to \ncostly liability and litigation and are not agile enough to \naddress today\'s supply chain threats.\n    DHS needs the proper authorities to be able to decisively \nact when a threat to its supply chain has been identified. That \nis why in the near term, I will be joining with my colleague \nChairman King in introducing legislation to provide DHS with \nthe tools to effectively carry out supply chain risk management \nin order to secure its supply chain. Modelled after statutory \nauthority given to the Department of Defense in 2011, this \nlegislation will empower the Secretary of DHS to block entities \nwho pose a security risk from being a DHS vendor. This \nlegislation will also encourage information sharing across the \nDepartment when a supply chain risk has been identified.\n    Again, I thank our distinguished panel for testifying this \nmorning and I look forward to learning more about supply chain \nrisk management at the Department. It is my intention to use \ntoday\'s discussion to help further shape a legislative solution \nfor securing DHS\'s supply chain.\n    Thank you, Mr. Chairman. I yield the balance.\n    [The statement of Chairman Perry follows:]\n                   Statement of Chairman Scott Perry\n                             july 12, 2018\n    Good morning. I would like to thank Chairman King for holding this \nhearing today and including the Oversight and Management Efficiency \nSubcommittee in this very important and timely discussion on the \nDepartment of Homeland Security\'s efforts to secure its supply chain.\n    In today\'s interconnected world, the Federal Government is \nincreasingly reliant on the procurement of products and services with \nsupply chains that originate from outside our borders. DHS is no \nexception. Global supply chains are integral to the Department\'s \nability to carry out the mission of securing the homeland.\n    However, recent incidents involving Government contractors and \nforeign-based suppliers like Kaspersky Lab, ZTE, and Huawei have shed \nlight on the security risks associated with the global nature of supply \nchains. Potential threats to international supply chains ranging from \ninterference by foreign adversaries to poor product manufacturing \npractices present a unique and complex challenge for both DHS and \nNational security.\n    To assess and counter supply chain threats, organizations employ \nsupply chain risk management strategies, which leverage risk \nassessments to neutralize threats associated with the global and \ndistributed nature of modern supply chains. Risk assessments are made \nby utilizing open- and closed-source research to allow organizations to \nbetter understand their supply chain and identify the threats specific \nto it. To assist the Federal Government in this effort, the National \nInstitute for Standards and Technology has released Government-wide \nbest practices for agencies to use as a model for their own supply \nchain risk management strategies.\n    Agencies like DHS rely on contracts for products and services to \ncarry out their daily operations. As such, in the case of the \nDepartment, ensuring supply chain security is intrinsic to the mission \nof ensuring National security.\n    Unfortunately, given the threat environment, I am concerned that \nthe Department does not currently possess the sufficient tools to \neffectively carry out supply chain risk management. Under the \nregulations governing Federal procurements, DHS maintains limited \nauthorities to terminate procurement contracts for unforeseen \ncircumstances and to bar irresponsible entities from doing future \nbusiness with the Federal Government for up to 3 years. Additionally, \nthe Federal Information Security Modernization Act of 2014 granted the \nDepartment the authority to issue binding operational directives, which \nare compulsory orders for Federal agencies to take action to safeguard \ninformation and IT systems when a security vulnerability has been \nidentified. Unfortunately, these authorities are generally viewed as \nreactive measures that open the Department up to costly liability and \nlitigation and are not agile enough to address today\'s supply chain \nthreats.\n    DHS needs the proper authorities to be able to decisively act when \na threat to its supply chain has been identified. That is why, in the \nnear term, I will be joining with my colleague Chairman King in \nintroducing legislation to provide DHS with the tools to effectively \ncarry out supply chain risk management in order to secure its supply \nchain.\n    Modeled after statutory authority given to the Department of \nDefense in 2011, this legislation will empower the Secretary of DHS to \nblock entities who pose a security risk from being a DHS vendor. The \nlegislation will also encourage information sharing across the \nDepartment when a supply chain risk has been identified.\n    I want to thank our distinguished panel for testifying this morning \nand I look forward to learning more about supply chain risk management \nat the Department. It is my intention to use today\'s discussion to help \nfurther shape a legislative solution for securing DHS\'s supply chain. \nThank you and I yield back the balance of my time.\n\n    Mr. King. Thank you, Mr. Perry. I am pleased that our two \nsubcommittees are working together to address this vital issue.\n    I now recognize the Ranking Member of the subcommittee, Mr. \nCorrea, for an opening statement.\n    Mr. Correa of California. Thank you, Chairman Perry, \nChairman King, and Vice Chairperson Rice, for today\'s hearing. \nThis morning the two subcommittees will hear from witnesses on \nDHS\'s current authority on mitigating threats to our supply \nchain. We urgently need a National strategy for supply chain \nrisk management.\n    Foreign nation-states like Russia and China view \ninformation and communication technology as a strategic sector \nin which they have invested significant capital and exercise \ntremendous influence. IT products and services through the \nglobal supply chain are threats that continue to evolve every \nday. Bad actors continue to target U.S. Government contractors \nand other private-sector entities that do business with the \nGovernment and try to gain advantage and undermine our \nsecurity.\n    Over the past year, DHS has mitigated the risks and secured \nthe Government supply chain. DHS launched a new supply chain \nrisk management, or SCRM, program. While the goals of the \nprogram are commendable, its mission far exceeds its resources. \nAs of this May, there are only two employees dedicated to the \nprogram. I hope to work with the Department and my colleagues \nacross the aisle to provide this office with the proper \nresources and manpower it deserves.\n    Last, I look forward to hearing from today\'s witnesses on \nhow the DHS SCRM program fits into the Federal Government\'s \noverarching approach to supply chain security. Without a \ncybersecurity coordinator within the administration, I am also \nconcerned about consolidation efforts underway within multiple \nFederal agencies to address the National security implications \nof supply chain vulnerability.\n    The Federal Government supply chain is a target for our \nadversaries and we need to ensure that commercial off-the-shelf \ngoods and services are not the subject of manipulation. It is \nimperative that we streamline these efforts to better protect \nagainst supply chain threats, and I hope to work with the \nadministration to that end.\n    With that, I yield.\n    [The statement of Ranking Member Correa follows:]\n               Statement of Ranking Member J. Luis Correa\n                             July 12, 2018\n    This morning the two subcommittees will hear from several \ndistinguished witnesses on DHS\'s current authority related to \nmitigating threats to its supply chain. As previously mentioned by my \ncolleagues in their opening statements, the United States needs a \nNational strategy for supply chain risk management--and it needs it \nnow.\n    Foreign nation-states like Russia and China rely on information and \ncommunication technology as a ``strategic sector,\'\' in which the two \ncountries\' governments have invested significant capital and exercise \nsubstantial influence.\n    In 2012, the House Permanent Select Committee on Intelligence found \nthat the risks posed by China\'s largest telecommunications \nmanufacturers, ZTE and Huawei, ``could undermine core U.S. National \nsecurity interests.\'\' In 2017, after ``concern[s] about the ties \nbetween certain Kaspersky officials and Russian intelligence,\'\' DHS \ndirected all Federal agencies to remove the Russian-based firm\'s \nproducts from their networks.\n    The exploitation of IT products and services through the global \nsupply chain is a threat that continues to evolve each day. Bad actors \ncontinue to target U.S. Government contractors and other private-sector \nentities that do business with the Government to try to gain advantage \nand pursue other state goals.\n    Over the past year, DHS has taken several steps to mitigate the \nrisk and secure the Federal Government\'s supply chain. Just recently, \nDHS launched a new Supply Chain Risk Management (SCRM), or ``SKRIM\'\' \nProgram, within its National Programs and Protection Directorate. This \nnew office was established to examine security concerns arising from \nthe use of certain vendors and subcontractors.\n    However, while the goals of the program are laudable, its mission \nfar exceeds its resources. As of May, there were only 2 employees \ndedicated to the program.\n    Considering that the risk is great, I hope to work with the \nDepartment and my colleagues across the aisle on providing this office \nwith the proper resources and manpower that it deserves. Especially \nwhen we are considering expanding DHS\'s authority related to denying \nprocurements based on National security concerns.\n    Last, I look forward to hearing from today\'s witnesses on how the \nDHS SCRM Program fits into the Federal Government\'s overarching \napproach to supply chain security.\n    Without a Cybersecurity Coordinator within the Trump \nadministration, I am concerned about the White House\'s ability to \nconsolidate the numerous efforts underway within multiple Federal \nagencies to address the National security implications of supply chain \nvulnerabilities.\n    The Federal Government\'s supply chain is a target for our \nadversaries, and we need to ensure that commercial off-the-shelf goods \nand services are not subject to manipulation. Hence why it is \nimperative that we streamline these efforts to better protect against \nsupply chain threats, and I hope to see the administration work towards \nthis.\n\n    Mr. King. I thank the gentleman. I thank Mr. Correa.\n    Other Members of the subcommittee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             July 12, 2018\n    The threats to the United States from China and Russia are not new. \nFor years, it has been reported that Chinese companies like ZTE and \nHuawei could be used to carry out cyber theft, spying, and espionage.\n    Last year, Kaspersky Labs demonstrated the Russian government\'s \ncapability to use anti-virus products to compromise Federal information \nand information systems, directly affecting U.S. National security.\n    In a letter to Mississippi\'s Secretary of State in September, I \nspoke of ``an unacceptable amount of risk\'\' to our National security \nposed by these products, not only to the supply chain but also to the \nsecurity of our elections.\n    I am reiterating that concern today, especially since the threat \nfrom Russia and China to the United States has become more complicated \nand troubling in the wake of on-going actions by President Trump.\n    After the blatant violation of U.S. sanctions in 2016 by ZTE and \nits subsequent breach this year, the Department of Defense initiated a \nban on the sale of ZTE and Huawei products on military bases due to \nsecurity concerns.\n    Despite these concerns, in May, the President took to Twitter to \ncommit to saving ZTE and Chinese jobs days after a Trump-branded resort \nreceived a substantial loan from the Chinese government to build \nproperty in Indonesia.\n    This sent a clear message: the U.S. President will do business with \nyou if you do business with him.\n    These policies continue to erode U.S. institutions and interests \nabroad, downplaying the seriousness of U.S. sanctions and National \nsecurity to the global community.\n    The Federal Government supply chain is a target for our \nadversaries.\n    And while the threats from our adversaries are great, so is the \nopportunity to identify vulnerabilities and mitigate the risks.\n    Today, we are considering expanding DHS\'s authority to address \nsupply chain risk by excluding contractors based on National security \nconcerns.\n    Such authority would provide DHS with additional opportunities to \nmitigate supply chain risk during the acquisition phase.\n    The Defense Department currently has authority, known as Section \n806 authority, to exclude contractors from information technology \nprocurements if evidence of National security risk is identified and \nmitigation measures are not available. It has only been used this \nauthority once.\n    Although the legislation is a good first step, we should consider \nwhether refinements are necessary based on DOD\'s lessons learned.\n    Providing the authority won\'t address the fact that the Trump \nadministration lacks a coherent, Government-wide strategy to adequately \naddress the challenges we continue to face from Russia and China.\n    National Security experts, business associations and Members of \nthis committee have communicated their concerns to the administration, \nabout the need to secure Federal supply chains.\n\n    Mr. King. I now would like to ask unanimous consent that \nthe Chairman of the Emergency Preparedness Subcommittee, Mr. \nDonovan, be able to sit on the dais and participate in today\'s \nhearing. Without objection, so ordered.\n    We are grateful to have a very distinguished panel here \ntoday to testify before us. And let me remind the witnesses \nthat their entire written statements will appear in the record.\n    Our first witness, Ms. Soraya Correa--did I get that right?\n    OK good. Serves as the chief procurement officer for the \nDepartment of Homeland Security. Ms. Correa provides \nleadership, policy, oversight, support, and professional work \nforce development for the DHS contracting work force of \napproximately 1,500 individuals. As the senior procurement \nexecutive, she also oversees a centralized certification and \ntraining program for the DHS acquisition work force and also \nassists the chief acquisition officer in managing major \nacquisition programs.\n    Prior to being appointed to this position in January 2015, \nMs. Correa served as the associate director of the U.S. \nCitizenship and Immigration Service Enterprise Services \nDirectorate.\n    The Chair now recognizes Ms. Correa for her opening \nstatement. Thank you.\n\n STATEMENT OF SORAYA CORREA, CHIEF PROCUREMENT OFFICER, OFFICE \n OF THE CHIEF PROCUREMENT OFFICER, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Ms. Correa. Thank you.\n    Chairman King, Chairman Perry, Ranking Member Correa, and \nRanking Member Rice and Members of the subcommittees, thank you \nfor this opportunity to discuss ways the Department of Homeland \nSecurity can enhance its ability to effectively manage supply \nchain risk in the procurement process.\n    As the chief procurement officer and senior procurement \nexecutive for the Department, I am responsible for the DHS \nprocurement line of business. My DHS colleagues will speak to \nsupply chain risk and the Department\'s response to this risk. I \nam here to discuss the additional authority needed to ensure \nthe procurement process can effectively and efficiently address \nidentified threats and vulnerabilities in the supply chain \nwhile protecting intelligence information.\n    The DHS National security and cybersecurity mission \nwarrants additional authority in order to protect its systems \nand networks. From a procurement perspective, it is essential \nthat we promote business processes and use authorities that \nenable us to be more consistent in our training, \nimplementation, and management of those authorities across the \nGovernment.\n    If we do, we can improve understanding and ease \nimplementation for industry, especially for new companies and \nsmall businesses. Today, Federal agencies are finding \nincreasing similarities in the products and services that we \nacquire, in the ways we work with the various industries, and \nin National security considerations that impact our mission. \nTherefore, providing certain authorities for use across the \nFederal Government to ensure a fair and effective process for \naddressing supply chain risks throughout the acquisition life \ncycle is essential.\n    I would like to briefly describe how the rules governing \nthe procurement process impact DHS when the Department needs to \ntake action on intelligence information. Currently, DHS \ncontracting officers, or COs, regardless of their security \nclearance level, are unable to receive specific intelligence \ninformation. Instead, COs are advised broadly that there is a \nrisk and provided the potential mitigation strategies to offset \nthat risk, or they are advised if there is a risk that cannot \nbe mitigated. When a risk cannot be mitigated, there are \nsufficient authorities in a Classified procurement to take \nimmediate action. However, in an unclassified procurement, \nwhere the vast majority of DHS procurements are actually \nconducted and administered, the CO\'s actions are restricted, \nbecause the process is designed to balance the equities of the \ncontracting parties, ensuring due process for contractors and \nfull disclosure of the Government\'s reasons for pursuing \ncontractual remedies in the event of a performance or integrity \nfailure.\n    The Federal acquisition regulation and underpinning \nstatutes were designed around the procurement of commodities \nand services that were neither anticipated to be vulnerable to \nnor the target of the sophisticated foreign intelligence \nactivities witnessed in recent years, especially those \nassociated with the globalized information and communications \ntechnology supply chain.\n    In fact, during the preaward process or during the preaward \nphase of the competitive procurement process, which includes \nthe evaluation of proposals submitted by competing vendors, a \nCO cannot take action on intelligence information if it would \npreclude the further participation of an interested vendor. The \ncompetitive process is designed to ensure fair and equitable \ntreatment of participating vendors, thereby requiring \nsufficient transparency in the Government\'s decision to exclude \na vendor.\n    Ideally, we need to anticipate risks in our planning phase \nand find mitigation strategies before we begin the procurement \nprocess. Unfortunately, sometimes risks are not identified \nuntil a particular vendor or their proposed solution is \nevaluated. While we will always turn to our DHS colleagues to \nmitigate such risks, additional authority is needed for those \ninstances when the risk cannot be mitigated and the vendor or \nparticular product or service must be excluded.\n    There are existing authorities to manage risk on awarded \ncontracts. These include temporary stop work orders, \ntermination of contracts, and suspension and debarment actions, \nas appropriate. However, these remedies were not designed to \naddress a security threat based on intelligence information.\n    I would like to make an important point before I close. As \nthe Department\'s chief procurement officer and senior \nprocurement executive, I take my obligations to maintain the \nintegrity of the procurement process seriously. This is why I \nsupport strong safeguards against the abuse of any authorities \ngranted to enhance our ability to protect the supply chain and \nprotect intelligence information used in the procurement \nprocess. Therefore, I support ensuring accountability at a high \nlevel within the Department for use of such authority as well \nas appropriate fact-finding, resulting in well-documented \ndeterminations.\n    Thank you again for your interest in this very important \nmatter and I look forward to any questions that you may have.\n    [The joint prepared statement of Ms. Correa, Mr. Zangardi, \nand Ms. Manfra follow:]\nJoint Prepared Statement of Soraya Correa, John Zangardi, and Jeanette \n                                 Manfra\n                             July 12, 2018\n                              introduction\n    Chairman King, Chairman Perry, Ranking Member Correa, Ranking \nMember Rice, and Members of the subcommittees, thank you for this \nopportunity to discuss with you ways to improve the Department of \nHomeland Security\'s (DHS) ability to effectively manage supply chain \nrisk. The Secretary of DHS has two primary sets of supply chain risk \nmanagement responsibilities related to information and communications \ntechnology (ICT). In one set, the Secretary is responsible for \nprocurement and supply chain risk management within DHS\'s ICT \nenvironment. These responsibilities are carried out by the DHS chief \nprocurement officer (CPO) and DHS chief information officer (CIO). In \ncarrying out the other set of responsibilities, the Secretary of DHS, \nin consultation with the Office of Management and Budget (OMB), \nadministers the implementation of Government-wide information security \npolicies and practices. These responsibilities are carried out by the \nNational Protection and Programs Directorate (NPPD).\n    ICT is critical to an agency\'s ability to carry out its mission \nefficiently and effectively. Supply chain risks could contribute to the \nloss of confidentiality, integrity, or availability of information or \ninformation systems and result in adverse impacts to organizational \noperations (including mission, functions, image, or reputation), \norganizational assets, individuals, other organizations, and the \nNation. Cyber Supply Chain Risk Management (C-SCRM) is the process of \nidentifying, assessing, and mitigating the risks associated with the \nglobal and distributed nature of ICT product and service supply chains. \nC-SCRM spans the entire life cycle of ICT, including design, \ndevelopment, acquisition, distribution, deployment, maintenance, and \nproduct retirement.\n                       current supply chain risks\n    The ICT supply chain is widely viewed as a source of significant \nrisk to ICT products, systems, and services. Vulnerabilities in ICT can \nbe exploited intentionally or unintentionally through a variety of \nmeans, including deliberate mislabeling and counterfeits, unauthorized \nproduction, tampering, theft, and insertion of malicious software or \nhardware. If these risks are not detected and mitigated, the impact to \nthe ICT could be a fundamental degradation of its confidentiality, \nintegrity, or availability and potentially adverse impacts to essential \nGovernment or critical infrastructure systems.\n    Increasingly sophisticated adversaries seek to steal, compromise, \nalter, or destroy sensitive information on systems and networks, and \nrisks associated with ICT may be used to facilitate these activities. \nThe Office of the Director of National Intelligence (ODNI) \nacknowledges, ``The U.S. is under systemic assault by foreign \nintelligence entities who target the equipment, systems, and \ninformation used every day by government, business, and individual \ncitizens.\'\'\\1\\ The globalization of our supply chain can result in \ncomponent parts, services, and manufacturing from sources distributed \naround the world. ODNI further states, ``Our most capable adversaries \ncan access this supply chain at multiple points, establishing advanced, \npersistent, and multifaceted subversion. Our adversaries are also able \nto use this complexity to obfuscate their efforts to penetrate \nsensitive research and development programs, steal intellectual \nproperty and personally identifiable information, insert malware into \ncritical components, and mask foreign ownership, control, and/or \ninfluence (FOCI) of key providers of components and services.\'\'\n---------------------------------------------------------------------------\n    \\1\\ https://www.dni.gov/files/NCSC/documents/products/20170317-\nNCSC_SCRM-Background.pdf.\n---------------------------------------------------------------------------\n              managing information as a strategic resource\n    Current law governing information security of Federal information \nresources requires agencies to implement an agency-wide information \nsecurity program that ensures that information security is addressed \nthroughout the life cycle of each agency information system (44 U.S.C. \n3554(b)). On July 27, 2016, OMB released an update to Circular A-130, \nManaging Information as a Strategic Resource, the Federal Government\'s \ngoverning document for management of Federal information resources. \nAmong other things, the revisions require agencies to establish a \ncomprehensive approach to improve the acquisition and management of \ntheir information resources. This includes requirements for agencies to \nimplement and oversee the implementation of supply chain risk \nmanagement principles to protect against the insertion of counterfeits, \nunauthorized production, tampering, theft, and insertion of malicious \nsoftware throughout the system development life cycle. Moreover, \nappropriate supply chain risk management plans to ensure the integrity, \nsecurity, resilience, and quality of information systems are described \nin the National Institute of Standards and Technology (NIST) Special \nPublication 800-161, Supply Chain Risk Management Practices for Federal \nInformation Systems and Organizations.\n            the current rules for unclassified procurements\n    C-SCRM is no longer an emerging threat, it is pervasive. However, \nthe rules under which procurements are conducted have not kept pace \nwith the evolution of this threat. The Federal Acquisition Regulation \nis designed to balance the equities of the contracting parties, \nensuring due process for contractors and full disclosure of the \nGovernment\'s reasons for pursuing contractual remedies in the event of \nperformance or integrity failure. These rules, however, were designed \naround the procurement of commodities and services that were not \nanticipated to be vulnerable to, nor the target of, the sophisticated \nforeign intelligence activities witnessed in recent years, especially \nthose associated with a globalized ICT supply chain. For instance, the \ncurrent procurement rules and their underpinning statutes did not \nimagine the need to use and protect intelligence information in \nunclassified procurements. While there are tools available to pursue \ncorrection of contractor performance issues or address integrity \nfailures, they do not provide the flexibility to react swiftly to or \nprotect intelligence information when exclusion of a source is the only \nway to mitigate supply chain risk. In fact, some currently available \nprocurement tools that address performance issues, such as Government-\nwide exclusion from doing business with any agency for a period of \ntime, are too harsh, unless an agency investigation deems the \ncontractor to be at fault for the performance issue. New rules are \nneeded to combat the threat to our Nation\'s Federal information \ntechnology networks when intelligence information identifies risks that \ncannot be mitigated.\n             using and protecting intelligence information\n    Gaps exist in the DHS\'s authority to use intelligence information \nto support its procurement decisions when a significant supply chain \nrisk cannot be mitigated. Mitigation, which is an action initiated by \nthe Government to preclude a supply chain risk from causing a security \nconcern, is the preferred and least disruptive method of addressing \nsupply chain risk. However, in those exceptional cases where mitigation \nis not possible, DHS does not have the capability to react swiftly \nwhile appropriately restricting disclosure of intelligence and other \nNational security sensitive information.\n            dhs cyber supply chain risk management (c-scrm)\n    In order to appropriately manage supply chain risks, stakeholders \nneed increased visibility into, and understanding of, how the products \nand services they buy are developed, integrated, and deployed, as well \nas the processes, procedures, and practices used by ICT manufacturers \nand purveyors to assure the integrity, security, resilience, and \nquality of those products and services. The DHS Office of the Chief \nInformation Officer (OCIO) has initiated work focused on establishing a \nC-SCRM effort executed Department-wide.\n    The effort will include a governance structure that will update \nexisting policy and procedures for C-SCRM. Documentation will be \ndeveloped that will align with current policies while providing \nprogrammatic subject-matter expertise to DHS stakeholders and risk \nowners. Integral to the success of these efforts will be the functions \nand capabilities to conduct vulnerability and threat identification and \nanalysis. To accomplish this, a process will be established to produce \ntimely supply chain risk assessments of companies, products, and \nservices based on an analysis of publicly and commercially available \ninformation about the company and product, or service being purchased \nand information shared through liaisons with the U.S. intelligence \ncommunity (IC) threat assessment centers and DHS Office of Intelligence \nand Analysis (I&A), as appropriate.\n    Working closely with NPPD and the DHS CPO, the initiative will \ndevelop education and training to ensure the effective use of the new \nauthority. Guidance will also be provided to assist buyers in \ndetermining criticality, priority, and risk tolerance for the product \nor service to be purchased as well as assisting buyers and sellers with \ndetermining mitigation actions where supply chain risks have been \nidentified.\n    The DHS CIO knows first-hand that all tiers of the supply chain are \ntargeted by increasingly sophisticated and well-funded adversaries \nseeking to steal, compromise, alter, or destroy information and is \ncommitted to establishing a robust enterprise approach to better \nmanaging the risk and vulnerabilities associated with ICT components. \nAlthough DHS is investing in C-SCRM with the goal to broaden and \nfurther strengthen our approach, additional authority is needed to \nensure that risk is assessed and mitigated in a timely manner, and that \ndisclosure of intelligence sources and other information is restricted.\n      government-wide cyber supply chain risk management (c-scrm)\n    The administration has been working to establish a strategic \nstatutory framework to protect our Federal supply chain by conducting \nsupply chain risk assessments, creating mechanisms for sharing supply \nchain information, and establishing exclusion authorities--both within \nagencies and in a centralized manner--to be utilized when justified. \nEarlier this week, the administration shared its proposed legislation \nwith Congress, the ``Federal Information Technology Supply Chain Risk \nManagement Improvement Act of 2018.\'\' We look forward to supporting the \nadministration\'s work with Congress on the bill and strengthening our \nability to help agencies execute Departmental missions in an \nenvironment of changing vulnerabilities and threats.\n    NPPD carries out the DHS Secretary\'s responsibilities to administer \nthe implementation of Government-wide information security policies and \npractices (44 U.S.C 3553(b)). These statutory responsibilities include \nmonitoring agency implementation; convening senior agency officials; \ncoordinating Government-wide efforts; providing operational and \ntechnical assistance; providing, as appropriate, intelligence and other \ninformation about cyber threats, vulnerabilities, and incidents to \nagencies; and developing and overseeing implementation of binding \noperational directives, among other actions. DHS leverages the full \nrange of authorities to address supply chain risks across the Federal \nGovernment.\n    DHS is working with the Department of Defense (DOD), the \nintelligence community, and other agencies to address key supply chain \nrisks. In January 2018, NPPD established a C-SCRM initiative to \ncentralize DHS\'s efforts to address risks to the ICT supply chains of \nFederal agencies, critical infrastructure owners and operators, and \nState, local, Tribal, and territorial governments. The mission of the \nC-SCRM initiative is to identify, assess, prevent, and mitigate risks \nassociated with ICT product and service supply chains throughout the \nlife cycle. Initially this initiative will focus on identifying and \naddressing supply chain risks related to the Federal Government\'s high-\nvalue assets (HVAs), or those assets, Federal information systems, \ninformation, and data for which unauthorized access, use, disclosure, \ndisruption, modification, or destruction could cause a significant \nimpact to U.S. National security interests, foreign relations, the \neconomy, or to the public confidence, civil liberties, or public health \nand safety of the American people. Additionally, DHS, in partnership \nwith the General Services Administration, is working to bridge the gap \nbetween the procurement and ICT professional by providing acquisition \nprofessionals with awareness, training, and educational content to be \navailable through the Federal Acquisition Institute.\n    Since 2017, NPPD now requires Continuous Diagnostics and Mitigation \n(CDM) vendors to complete a SCRM questionnaire as part of their \napplication to place a product on the CDM-approved products list. The \nquestionnaire provides information to agencies about how the vendor \nidentifies, assesses, and mitigates supply chain risks in order to \nfacilitate better-informed decision making. The information is intended \nto provide visibility into, and improve the buyer\'s understanding of, \nhow the products are developed, integrated, and deployed; as well as \nthe processes, procedures, and practices used to assure the integrity, \nsecurity, resilience, and quality of those products.\n          intelligence support and countering illicit activity\n    Despite the gaps in DHS\'s ability to use intelligence information \nto support its procurement actions, DHS has a variety of efforts \ncurrently underway within our existing authorities to help address \nthese risks. One such effort is the strengthening of our \ncounterintelligence capabilities. These capabilities include resources \nwithin DHS I&A as well as strengthening partnerships across other key \ncomponents of the U.S. IC. Additionally, DHS components, including the \nU.S. Secret Service, U.S. Customs and Border Protection, and U.S. \nImmigration and Customs Enforcement, play a critical role in \nidentifying and disrupting illicit activity impacting supply chain \nrisk. In collaboration with the Federal Bureau of Investigation, and \nthe Departments of State, Treasury, Commerce, and Defense, we are \nactively leveraging our individual and collective authorities to \ncounter malicious actors and mitigate supply chain risks.\n                               conclusion\n    As DHS looks at the current threat landscape and the risk posed by \nincreasingly sophisticated adversaries, we appreciate the committee\'s \ninterest in supply chain risk management and look forward to working \nwith the Members and your staff on these issues. Thank you for the \nopportunity to testify before the subcommittees. We are happy to answer \nany questions you may have.\n\n    Mr. King. Thank you very much, Ms. Correa. I appreciate \nthat.\n    Our second witness, Dr. John Zangardi, is the chief \ninformation officer for DHS. Previously, Dr. Zangardi served as \nthe DOD principal deputy chief information officer and later \nthe acting chief information officer. Dr. Zangardi\'s background \nincludes acquisition, policy, legislative affairs, resourcing, \nand operations. He is a retired Naval flight officer and served \nin a variety of command and staff assignments.\n    The Chair now recognizes Dr. Zangardi. Thank you for being \nhere today.\n\n STATEMENT OF JOHN ZANGARDI, CHIEF INFORMATION OFFICER, OFFICE \n OF THE CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Zangardi. Chairman King, Chairman Perry, Ranking Member \nCorrea, Ranking Member Rice, and Members of the subcommittees, \nthank you for this opportunity to discuss ways to improve the \nDepartment of Homeland Security\'s ability to effectively manage \nsupply chain risk.\n    The Department\'s Secretary has two primary sets of supply \nchain risk management responsibilities related to information \nand communications technology. In one set, the Secretary is \nresponsible for procurement and supply chain risk management \nwithin DHS\'s information and communications environment. These \nresponsibilities are carried out by DHS\'s chief procurement \nofficer and the chief information officer.\n    In carrying out the other set of responsibilities, the \nSecretary of DHS, in consultation with the Office of Management \nand Budget, administers the implementation of Government-wide \ninformation security policies and practices. These \nresponsibilities are carried out by the National Protection and \nPrograms Directorate, or NPPD. My focus today will be on the \nsupply chain risk management activities within DHS\'s \ninformation and communications technology environment.\n    Gaps exist in the Department\'s authority to use \nintelligence to support its procurement decisions when a \nsignificant supply chain risk cannot be mitigated. Mitigation \nis the preferred and least disruptive method of addressing \nsupply chain risk. However, in those exceptional cases where \nmitigation is not possible, the Department needs the capability \nto react swiftly while appropriately restricting a disclosure \nof other National security-sensitive information.\n    The administration has been working to establish a \nstrategic statutory framework to protect our Federal supply \nchain by conducting supply chain risk assessments, creating \nmechanisms for sharing supply chain information, and \nestablishing exclusion authorities, both within agencies and in \na centralized manner, to be utilized when justified. We look \nforward to supporting the administration\'s work with Congress \non the bill and strengthening our ability to execute mission in \nan environment of changing vulnerabilities and threats.\n    DHS needs flexibility while protecting the integrity of the \nprocurement process. DHS will ensure important safeguards, such \nas requiring factual findings, written determinations, and \nconcurrences by specified senior DHS officials are in place \nwhen the authority as proposed by the administration is used. \nWe do not see using this authority to drive sole-source \nprocurements. Competition, particularly in the IT space, is \ncritical to ensure that DHS gets the best solution at the right \ncost.\n    DHS procedures will facilitate the timely assessment and \nmitigation of risk and preclude compromising DHS systems. It is \nkey to ensure we have a strong process surrounding supply chain \nrisk management. A strong supply chain risk management process \nneeds to ensure that vendors are queried on supply chain risk \nprocess, there is awareness of the systems on the network and a \nrapid response to intelligence tippers, and there is a close \nworking relationship with the component CIOs and CISOs, the \nchief procurement officer, the acquisition community, \nintelligence, and NPPD.\n    As the IT technical authority for DHS, my chief information \nsecurity officer, or CISO, has initiated work to directly \nsupport and execute technical assessments, providing subject-\nmatter expertise, and be the integration point for all \nenterprise supply chain management efforts.\n    In addition, this team will develop program documentation \nthat will align with current policies and procedures while \nproviding programmatic subject-matter expertise to DHS \nstakeholders and risk owners.\n    With the support of the DHS components and offices, my team \nwill continue to focus on governance by enhancing policy, \nprocedures, and compliance monitoring capability of SCRM \nactivities, services, by providing supply chain risk management \nservices such as informations and communications technology \nassessments and intelligence analysis reporting and operations, \nwhich includes the execution and implementation of supply chain \nrisk management recommendations and selected IT acquisitions.\n    DHS recognizes the importance of establishing an enterprise \napproach to managing supply chain risk associated with \ninformation and communications technology. The supply chain for \ninformation and communications technology is complex. We have \nour work cut out for us. Working closely with our partners, we \nwill find the best and most realistic approach for \nstrengthening our supply chain.\n    The Department appreciates the support of this committee on \nthese important matters. We will continue to work with Congress \nto address existing gaps in authority where resources are \nrequired to effectively manage supply chain risk within DHS.\n    Thank you for the opportunity to testify today, and I look \nforward to your questions.\n    Mr. King. Thank you very much, Dr. Zangardi.\n    Our third witness, Ms. Jeanette Manfra, serves as the \nassistant secretary of the Office of Cybersecurity and \nCommunications at the National Protection and Programs \nDirectorate within DHS. Ms. Manfra leads the Department\'s \nmission of strengthening the security and resilience of the \nNation\'s critical infrastructure. Prior to this position, she \nserved as the acting deputy under secretary for cybersecurity \nand the director for strategy, policy, and plans for the NPPD. \nMs. Manfra served in the U.S. Army as a communications \nspecialist and a military intelligence officer. I now recognize \nMs. Manfra for an opening statement. Thank you.\n\n STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY, OFFICE OF \n   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND \n   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Manfra. Chairman King, Chairman Perry, Ranking Member \nCorrea, Ranking Member Rice, Members of the subcommittees, \nthank you for today\'s opportunity to discuss the Department\'s \non-going efforts to assess and mitigate supply chain risk.\n    The information and communications technology supply chain \nis a source of significant risk. The globalization of our \nsupply chain results in component parts, services, and \nmanufacturing from sources distributed around the world. \nVulnerabilities in technology can be created intentionally or \nunintentionally through a variety of means, including \ndeliberate mislabeling and counterfeits, unauthorized \nproduction, tampering, theft and insertion of malicious \nsoftware or hardware. If these risks are not detected and \nmitigated, the result is adverse impacts to essential \nGovernment or critical infrastructure systems.\n    The Office of the Director of National Intelligence \nacknowledges that the United States is under systemic assault \nby foreign intelligence entities, who target the equipment, \nsystems, and information used every day by Government, \nbusiness, and individual citizens. Our adversaries are able to \nuse the supply chain\'s complexity to obfuscate their efforts to \npenetrate sensitive research and development programs, steal \nintellectual property and personally identifiable information, \ninsert malware into critical components and mask foreign \nownership, control, and/or influence of key providers of \ncomponents and services.\n    Cyber supply chain risk management requires addressing \nproduct security throughout its life cycle, including design, \ndevelopment, acquisition, distribution, deployment, \nmaintenance, and product retirement. Current law governing \ninformation security for Federal information resources requires \nagencies to implement an agency-wide information security \nprogram that ensures that information security, including \nsupply chain security, is addressed throughout the life cycle \nof each agency information system.\n    At the National Protection and Programs Directorate, or \nNPPD, we carry out the Secretary\'s responsibilities to \nadminister the implementation of Government-wide information \nsecurity policies and practices and to coordinate the overall \nFederal effort to enhance the security and resilience of our \nNation\'s critical infrastructure. These statutory \nresponsibilities for Federal agencies include monitoring \nimplementation, convening senior officials, coordinating \nGovernment-wide efforts, providing operational and technical \nassistance, providing, as appropriate, intelligence and other \ninformation about cyber threats, vulnerabilities, and \nincidents, and developing and overseeing implementation of \nbinding operational directives, among other actions. We \nleverage the full range of these authorities to address supply \nchain risks across the Federal Government.\n    In January 2018, we at NPPD established a cyber supply \nchain risk management program to facilitate National efforts to \naddress risks to the information and communications technology \nsupply chains of Federal agencies, critical infrastructure \nowners and operators, and State, local, Tribal, and territorial \ngovernments. We are working with DOD, the intelligence \ncommunity, and other agencies in these efforts.\n    Initially, this program is focusing on identifying and \naddressing supply chain risks related to the Federal \nGovernment\'s high-value assets. Additionally, in partnership \nwith the General Services Administration, we are working to \nbridge the gap between procurement and information technology \nprofessionals by providing awareness, training, and educational \ncontent through the Federal Acquisition Institute. Through the \ncontinuous diagnostics and mitigation program, NPPD procures \ncybersecurity tools to deploy inside Federal agency networks.\n    Since 2017, NPPD has required CDM vendors to complete a \nsupply chain risk management questionnaire as part of the \nproduct approval process. The questionnaire provides \ninformation to agencies about how the vendor identifies, \nassesses, and mitigates supply chain risks in order to \nfacilitate better-informed decision making. The information is \nintended to improve the buyer\'s understanding of how the \nproducts are developed, integrated, and deployed as well as the \nprocesses, procedures, and practices used to assure the \nintegrity, security, resilience, and quality of those products.\n    Before closing, I would note that this administration is \nworking to establish a strategic framework to protect our \nFederal supply chain by conducting supply chain risk \nassessments, creating mechanisms for sharing supply chain risk \nand mitigation information, and establishing exclusion \nauthorities, both within agencies and in a centralized manner, \nto be utilized when justified.\n    As the Department works to address the risk posed by \nincreasingly sophisticated adversaries, we appreciate the \ncommittee\'s interest in this topic and the work that you have \ndone and look forward to working with Members and your staff on \nthese issues.\n    Thank you for the opportunity to testify, and I look \nforward to your questions.\n    Mr. King. Thank you, Ms. Manfra, I appreciate that.\n    Our fourth witness is Mr. Gregory Wilshusen, the director \nof information security issues at the U.S. Government \nAccountability Office.\n    Mr. Wilshusen leads information security-related studies \nand audits of the Federal Government. He has over 30 years of \nauditing, financial management, and information system \nexperience.\n    The Chair now recognizes Mr. Wilshusen for his opening \nstatement. Thank you.\n\n  STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION \n       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Thank you. Chairman King, Chairman Perry, \nRanking Members Rice and Correa, and Members of the \nsubcommittee, thank you for the opportunity to testify at \ntoday\'s hearing on the Homeland Security supply chain.\n    Information technology systems are essential to the \noperations of the Federal Government. These systems are created \nand delivered through a complex global supply chain that \ninvolves a multitude of organizations, individuals, activities, \nand resources.\n    My testimony today provides an overview of the information \nsecurity risks associated with the supply chains used by \nFederal agencies to procure IT systems. As requested, I will \nalso discuss our 2012 assessment of the extent to which 4 \nNational security-related agencies, the Departments of Defense, \nJustice, Energy, and Homeland Security, had addressed these \nrisks. Before I do, if I may, I would like to recognize two \nmembers of my team, Jeff Knott and Rosanna Guerrero, for their \nefforts in developing my statement. Thank you.\n    In several reports issued since 2012, we have pointed out \nthat the reliance on complex global IT supply chains introduces \nmultiple risks to Federal information and communication \nsystems. This includes the risk that these systems are being \nmanipulated or damaged by leading foreign cyber threat nations, \nsuch as Russia, China, Iran, and North Korea. Threats and \nvulnerabilities created by these cyber threat nations, vendors, \nor suppliers closely linked to cyber threat nations and other \nmalicious actors can be sophisticated and difficult to detect \nand, thus, pose a significant risk to organizations and Federal \nagencies.\n    As we reported in March 2012, supply chain threats are \npresent at various phases throughout a system\'s development \nlife cycle. These threats include insertion of harmful or \nmalicious software and hardware, installation of counterfeit \nitems, disruption in the production or distribution of \nessential products and services, reliance on unqualified or \nmalicious service providers, and installation of software and \nhardware containing unintentional vulnerabilities.\n    These threats can be exercised by exploiting \nvulnerabilities that can exist at multiple points in the supply \nchain. Examples of these vulnerabilities include weaknesses in \nagency acquisition practices, such as acquiring products or \nparts from sources other than the original manufacturer or \nauthorized reseller, incomplete information on IT suppliers, \nand installing hardware and software without sufficiently \ninspecting or testing them.\n    These threats and vulnerabilities can potentially lead to a \nrange of harmful effects, including allowing adversaries to \ntake control of systems, extract or manipulate data, or \ndecrease the availability of resources needed to develop or \noperate systems.\n    In March 2012, we reported that the Departments of Defense, \nJustice, Energy, and Homeland Security varied in the extent to \nwhich they had addressed IT supply chain risks. Of the 4 \nagencies, Defense had made the most progress and had \nimplemented several risk management efforts. Conversely, the \nother 3 agencies had made limited progress addressing supply \nchain risk for their information systems.\n    We made 8 recommendations to Justice, Energy, and DHS to \ndevelop and document policies, procedures, and monitoring \ncapabilities that address IT supply chain risk. The agencies \nsubsequently implemented 7 recommendations and partially \nimplemented the eighth. These actions better positioned the \nagencies to monitor and mitigate their supply chain risks.\n    In summary, the global IT supply chain introduces a myriad \nof security risks to Federal information systems that, if \nrealized, could jeopardize the confidentiality, integrity, and \navailability of the systems and the information they contain. \nThus, the potential exists for serious adverse impacts on an \nagency\'s operations, assets, and employees. These factors \nhighlight the importance of Federal agencies appropriately \nassessing, managing, and monitoring IT supply chain risk as \npart of their agency-wide information security programs.\n    Chairman King, Chairman Perry, Ranking Members Rice and \nCorrea, and other Members of the subcommittees, this concludes \nmy oral statement. I will be happy to answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n                   Statement of Gregory C. Wilshusen\n                             July 12, 2018\n    Chairmen King and Perry, Ranking Members Rice and Correa, and \nMembers of the subcommittees: Thank you for the opportunity to testify \nat today\'s hearing on keeping adversaries away from the homeland \nsecurity supply chain. As you know, Federal agencies and the owners and \noperators of our Nation\'s critical infrastructure rely extensively on \ninformation technology (IT) and IT services to carry out their \noperations. Securing this technology, its supply chain, and the \ninformation it contains is essential to protecting National and \neconomic security.\n    Since 1997, we have identified Federal information security as a \nGovernment-wide high-risk area. In 2003, we expanded this high-risk \narea to include protecting systems supporting our Nation\'s critical \ninfrastructure.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ See, most recently, GAO, High-Risk Series: Progress on Many \nHigh-Risk Areas, While Substantial Efforts Needed on Others, GAO-17-317 \n(Washington, DC: Feb. 15, 2017).\n---------------------------------------------------------------------------\n    My statement provides an overview of the information security risks \nassociated with the supply chains used by Federal agencies to procure \nIT equipment, software, or services.\\2\\ The statement also discusses \nour 2012 assessment of the extent to which 4 National security-related \nagencies--the Departments of Defense, Justice, Energy, and Homeland \nSecurity (DHS)--had addressed these risks.\\3\\\n---------------------------------------------------------------------------\n    \\2\\ The National Institute of Standards and Technology (NIST) has \ndefined the term ``supply chain\'\' as a set of organizations, people, \nactivities, information, and resources that create and move a product \nor service from suppliers to an organization\'s customers. NIST defines \n``information technology\'\' as any equipment or interconnected system or \nsubsystem of equipment that is used in the automatic acquisition, \nstorage, manipulation, management, movement, control, display, \nswitching, interchange, transmission, or reception of data or \ninformation. This includes, among other things, computers, software, \nfirmware, and services (including support services).\n    \\3\\ GAO, IT Supply Chain: National Security-Related Agencies Need \nto Better Address Risks, GAO-12-361 (Washington, DC: Mar. 23, 2012).\n---------------------------------------------------------------------------\n    In developing this testimony, we relied on our previous reports,\\4\\ \nas well as information provided by the National security-related \nagencies on their actions in response to our previous recommendations. \nWe also considered information contained in special publications issued \nby the National Institute of Standards and Technology (NIST) and a \ndirective issued by DHS. A more detailed discussion of the objectives, \nscope, and methodology for this work is included in each of the reports \nthat are cited throughout this statement.\n---------------------------------------------------------------------------\n    \\4\\ See GAO-12-361; State Department Telecommunications: \nInformation on Vendors and Cyber-Threat Nations, GAO-17-688R \n(Washington, DC: July 27, 2017); and Telecommunications Networks: \nAddressing Potential Security Risks of Foreign-Manufactured Equipment, \nGAO-13-625T (Washington, DC: May 21, 2013).\n---------------------------------------------------------------------------\n    The work on which this statement is based was conducted in \naccordance with generally accepted Government auditing standards. Those \nstandards require that we plan and perform audits to obtain sufficient, \nappropriate evidence to provide a reasonable basis for our findings and \nconclusions. We believe that the evidence obtained provided a \nreasonable basis for our findings and conclusions based on our audit \nobjectives.\n                               background\n    The design and development of information systems can be complex \nundertakings, consisting of a multitude of pieces of equipment and \nsoftware products, and service providers. Each of the components of an \ninformation system may rely on one or more supply chains--that is, the \nset of organizations, people, activities, information, and resources \nthat create and move a product or service from suppliers to an \norganization\'s customers.\n    Obtaining a full understanding of the sources of a given \ninformation system can also be extremely complex. According to the \nSoftware Engineering Institute, the identity of each product or service \nprovider may not be visible to others in the supply chain. Typically, \nan acquirer, such as a Federal agency, may only know about the \nparticipants to which it is directly connected in the supply chain. \nFurther, the complexity of corporate structures, in which a parent \ncompany (or its subsidiaries) may own or control companies that conduct \nbusiness under different names in multiple countries, presents \nadditional challenges to fully understanding the sources of an \ninformation system. As a result, the acquirer may have little \nvisibility into the supply chains of its suppliers.\n    Federal procurement law and policies promote the acquisition of \ncommercial products when they meet the Government\'s needs. Commercial \nproviders of IT use a global supply chain to design, develop, \nmanufacture, and distribute hardware and software products throughout \nthe world. Consequently, the Federal Government relies heavily on IT \nequipment manufactured in foreign nations.\n    Federal information and communications systems can include a \nmultitude of IT equipment, products, and services, each of which may \nrely on one or more supply chains. These supply chains can be long, \ncomplex, and globally distributed and can consist of multiple tiers of \noutsourcing. As a result, agencies may have little visibility into, \nunderstanding of, or control over how the technology that they acquire \nis developed, integrated, and deployed, as well as the processes, \nprocedures, and practices used to ensure the integrity, security, \nresilience, and quality of the products and services. Table 1 \nhighlights possible manufacturing locations of typical components of a \ncomputer or information systems network.\n\nTABLE 1.--POSSIBLE MANUFACTURING LOCATIONS OF TYPICAL NETWORK COMPONENTS\n------------------------------------------------------------------------\n                                              Possible Manufacturing\n               Component                            Locations\n------------------------------------------------------------------------\nWorkstations...........................  United States, Israel, Spain,\n                                          China, Malaysia, Singapore,\n                                          United Kingdom.\nNotebook computers.....................  United States, Israel, Spain,\n                                          China, Malaysia, Singapore,\n                                          United Kingdom.\nRouting and switching..................  United States, India, Belgium,\n                                          Canada, China, Germany,\n                                          Israel, Japan, Netherlands,\n                                          Poland, United Kingdom.\nFiber optic cabling....................  China, Malaysia, Vietnam,\n                                          Japan, Thailand, Indonesia.\nServers................................  Brazil, Canada, United States,\n                                          India, Japan, France, Germany,\n                                          United Kingdom, Israel,\n                                          Singapore.\nPrinters...............................  Japan, United States, Germany,\n                                          France, Netherlands, Taiwan,\n                                          China, Malaysia, Thailand,\n                                          Vietnam, Philippines.\n------------------------------------------------------------------------\nSource: GAO analysis of public information/GAO-18-667T.\n\n    Moreover, many of the manufacturing inputs required for these \ncomponents--whether physical materials or knowledge--are acquired from \nvarious sources around the globe. Figure 1 depicts the potential \ncountries of origin of common suppliers of various components in a \ncommercially available laptop computer.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\nFederal Laws and Guidelines Require the Establishment of Information \n        Security Programs and Provide for Managing Supply Chain Risk\n    The Federal Information Security Modernization Act (FISMA) of 2014 \nrequires Federal agencies to develop, document, and implement an \nagency-wide information security program to provide information \nsecurity for the information systems and information that support the \noperations and assets of the agency.\\5\\ The act also requires that \nagencies ensure that information security is addressed throughout the \nlife cycle of each agency information system. FISMA assigns NIST the \nresponsibility for providing standards and guidelines on information \nsecurity to agencies. In addition, the act authorizes DHS to develop \nand issue binding operational directives to agencies, including \ndirectives that specify requirements for the mitigation of exigent \nrisks to information systems.\n---------------------------------------------------------------------------\n    \\5\\ FISMA 2014 (Pub. L. No. 113-283, Dec. 18, 2014) largely \nsuperseded the Federal Information Security Management Act of 2002 \n(FISMA 2002), enacted as Title III, E-Government Act of 2002, Pub. L. \nNo. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). As used in this \nstatement, FISMA refers both to FISMA 2014 and to those provisions of \nFISMA 2002 that were either incorporated into FISMA 2014 or were \nunchanged and continue in full force and effect.\n---------------------------------------------------------------------------\n    NIST has issued several special publications (SP) that provide \nguidelines to Federal agencies on controls and activities relevant to \nmanaging supply chain risk. For example,\n  <bullet> NIST SP 800-39 provides an approach to organization-wide \n        management of information security risk, which states that \n        organizations should monitor risk on an on-going basis as part \n        of a comprehensive risk management program.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ NIST, Managing Information Security Risk: Organization, \nMission, and Information System View, SP 800-39 (Gaithersburg, MD: \nMarch 2011).\n---------------------------------------------------------------------------\n  <bullet> NIST SP 800-53 (Revision 4) provides a catalogue of controls \n        from which agencies are to select controls for their \n        information systems. It also specifies several control \n        activities that organizations could use to provide additional \n        supply chain protections, such as conducting due diligence \n        reviews of suppliers and developing acquisition policy, and \n        implementing procedures that help protect against supply chain \n        threats throughout the system development life cycle.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ NIST, Security and Privacy Controls for Federal Information \nSystems and Organizations, SP 800-53, Revision 4 (Gaithersburg, MD: \nApril 2013).\n---------------------------------------------------------------------------\n  <bullet> NIST SP 800-161 provides guidance to Federal agencies on \n        identifying, assessing, selecting, and implementing risk \n        management processes and mitigating controls throughout their \n        organizations to help manage information and communications \n        technology supply chain risks.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ NIST, Supply Chain Risk Management Practices for Federal \nInformation Systems and Organizations, SP-800-161 (Gaithersburg, MD: \nApril 2015).\n---------------------------------------------------------------------------\n    In addition, as of June 2018, DHS has issued one binding \noperational directive related to an IT supply chain-related threat. \nSpecifically, in September 2017, DHS issued a directive to all Federal \nExecutive branch departments and agencies to remove and discontinue \npresent and future use of Kaspersky-branded products on all Federal \ninformation systems.\\9\\ In consultation with interagency partners, DHS \ndetermined that the risks presented by these products justified their \nremoval.\n---------------------------------------------------------------------------\n    \\9\\ DHS, Removal of Kaspersky-Branded Products, BOD-17-01 \n(Washington, DC: Sept. 13, 2017).\n---------------------------------------------------------------------------\n    Beyond these guidelines and requirements, the Ike Skelton National \nDefense Authorization Act for Fiscal Year 2011 also included provisions \nrelated to supply chain security. Specifically, Section 806 authorizes \nthe Secretaries of Defense, the Army, the Navy, and the Air Force to \nexclude a contractor from specific types of procurements on the basis \nof a determination of significant supply chain risk to a covered \nsystem.\\10\\ Section 806 also establishes requirements for limiting \ndisclosure of the basis of such procurement action.\n---------------------------------------------------------------------------\n    \\10\\ The act defines ``supply chain risk\'\' as ``risk that an \nadversary may sabotage, maliciously introduce unwanted function, or \notherwise subvert the design, integrity, manufacturing, production, \ndistribution, installation, operation, or maintenance of a covered \nsystem so as to surveil, deny, disrupt, or otherwise degrade the \nfunction, use, or operation of such system.\'\'\n---------------------------------------------------------------------------\n   it supply chains introduce numerous information security risks to \n                            federal agencies\n    In several reports issued since 2012,\\11\\ we have pointed out that \nthe reliance on complex, global IT supply chains introduces multiple \nrisks to Federal information and telecommunications systems. This \nincludes the risk of these systems being manipulated or damaged by \nleading foreign cyber-threat nations such as Russia, China, Iran, and \nNorth Korea.\\12\\ Threats and vulnerabilities created by these cyber-\nthreat nations, vendors, or suppliers closely linked to cyber-threat \nnations,\\13\\ and other malicious actors can be sophisticated and \ndifficult to detect and, thus, pose a significant risk to organizations \nand Federal agencies.\n---------------------------------------------------------------------------\n    \\11\\ GAO-12-361, GAO-13-652T, and GAO-17-688R.\n    \\12\\ The Office of the Director of National Intelligence has \nidentified Russia, China, Iran, and North Korea as leading cyber-threat \nnations in its Worldwide Threat Assessment of the U.S. Intelligence \nCommunity (Washington, DC: Feb. 9, 2016 and Feb. 13, 2018).\n    \\13\\ The Department of State Authorities Act, Fiscal Year 2017, \ndefines ``closely linked\'\' as, with respect to a foreign supplier, \ncontactor, or subcontractor and a cyber threat nation: (1) Incorporated \nor headquartered in the territory; (2) having ties to the military \nforces; (3) having ties to the intelligence services; or (4) the \nbeneficiary of significant low-interest or no-interest loans, loan \nforgiveness, or other support of a leading cyber threat nation. The Act \nalso included a provision for GAO to review the Department of State\'s \n(State) critical telecommunications equipment or services obtained from \nmanufacturers or suppliers that are closely linked to the leading cyber \nthreat nations. Based on GAO\'s open source review of generalizable \nsamples of 52 telecommunications device manufacturers and software \ndevelopers supporting the State\'s critical telecommunications \ncapabilities and 100 of State\'s telecommunications contractors, GAO \nidentified 16 companies--12 equipment manufacturers and software \ndevelopers and 4 telecommunications contractors--with suppliers \nreported to be headquartered in cyber threat nations. All of these \nsuppliers were reported to be headquartered in China or, in one case, \nRussia. The data did not establish whether State\'s telecommunications \ncapabilities were supported by equipment or software originating from \nsuppliers linked to companies in GAO\'s samples. GAO did not identify \nany reported military ties, intelligence ties, or low-interest loans \ninvolving cyber threat nations among any of the suppliers. See GAO-17-\n688R.\n---------------------------------------------------------------------------\n    As we reported in March 2012,\\14\\ supply chain threats are present \nat various phases of a system\'s development life cycle. Key threats \nthat could create an unacceptable risk to Federal agencies include the \nfollowing.\n---------------------------------------------------------------------------\n    \\14\\ GAO-12-361.\n---------------------------------------------------------------------------\n  <bullet> Installation of hardware or software containing malicious \n        logic, which is hardware, firmware, or software that is \n        intentionally included or inserted in a system for a harmful \n        purpose. Malicious logic can cause significant damage by \n        allowing attackers to take control of entire systems and, \n        thereby, read, modify, or delete sensitive information; disrupt \n        operations; launch attacks against other organizations\' \n        systems; or destroy systems.\n  <bullet> Installation of counterfeit hardware or software, which is \n        hardware or software containing non-genuine component parts or \n        code. According to the Defense Department\'s Information \n        Assurance Technology Analysis Center, counterfeit IT threatens \n        the integrity, trustworthiness, and reliability of information \n        systems for several reasons, including the facts that: (1) \n        Counterfeits are usually less reliable and, therefore, may fail \n        more often and more quickly than genuine parts; and (2) \n        counterfeiting presents an opportunity for the counterfeiter to \n        insert malicious logic or back doors \\15\\ into replicas or \n        copies that would be far more difficult in more secure \n        manufacturing facilities.\\16\\\n---------------------------------------------------------------------------\n    \\15\\ A ``back door\'\' is a general term for a malicious program that \ncan potentially give an intruder remote access to an infected computer.\n    \\16\\ Information Assurance Technology Analysis Center, Security \nRisk Management for the Off-the-Shelf (OTS) Information and \nCommunications Technology (ICT) Supply Chain, An Information Assurance \nTechnology Analysis Center State of the Art Report, DO 380 (Herndon, \nVA: August 2010).\n---------------------------------------------------------------------------\n  <bullet> Failure or disruption in the production or distribution of \n        critical products. Both man-made (e.g., disruptions caused by \n        labor, trade, or political disputes) and natural (e.g., \n        earthquakes, fires, floods, or hurricanes) causes could \n        decrease the availability of material needed to develop systems \n        or disrupt the supply of IT products critical to the operations \n        of Federal agencies.\n  <bullet> Reliance on a malicious or unqualified service provider for \n        the performance of technical services. By virtue of their \n        position, contractors and other service providers may have \n        access to Federal data and systems. Service providers could \n        attempt to use their access to obtain sensitive information, \n        commit fraud, disrupt operations, or launch attacks against \n        other computer systems and networks.\n  <bullet> Installation of hardware or software that contains \n        unintentional vulnerabilities, such as defects in code that can \n        be exploited. Cyber attackers may focus their efforts on, among \n        other things, finding and exploiting existing defects in \n        software code. Such defects are usually the result of \n        unintentional coding errors or misconfigurations, and can \n        facilitate attempts by attackers to gain unauthorized access to \n        an agency\'s information systems and data, or disrupt service.\n    We noted in the March 2012 report that threat actors \\17\\ can \nintroduce these threats into Federal information systems by exploiting \nvulnerabilities that could exist at multiple points in the global \nsupply chain. In addition, supply chain vulnerabilities can include \nweaknesses in agency acquisition or security procedures, controls, or \nimplementation related to an information system. Examples of the types \nof vulnerabilities that could be exploited include:\n---------------------------------------------------------------------------\n    \\17\\ Supply chain-related threat actors include foreign \nintelligence services and militaries, corporate spies, corrupt \ngovernment officials, cyber vandals, disgruntled employees, radical \nactivists, purveyors of counterfeit goods, or criminals.\n---------------------------------------------------------------------------\n  <bullet> acquisitions of IT products or parts from sources other than \n        the original manufacturer or authorized reseller, such as \n        independent distributors, brokers, or on the gray market;\n  <bullet> lack of adequate testing for software updates and patches; \n        and\n  <bullet> incomplete information on IT suppliers.\n    If a threat actor exploits an existing vulnerability, it could lead \nto the loss of the confidentiality, integrity, or availability of the \nsystem and associated information. This, in turn, can adversely affect \nan agency\'s ability to carry out its mission.\nfour national security-related agencies have acted to better address it \n            supply chain risks for their information systems\n    In March 2012, we reported that the four National security-related \nagencies (i.e., Defense, Justice, Energy, and DHS) had acknowledged the \nrisks presented by supply chain vulnerabilities.\\18\\ However, the \nagencies varied in the extent to which they had addressed these risks \nby: (1) Defining supply chain protection measures for Department \ninformation systems, (2) developing implementing procedures for these \nmeasures, and (3) establishing capabilities for monitoring compliance \nwith, and the effectiveness of, such measures.\n---------------------------------------------------------------------------\n    \\18\\ GAO-12-361.\n---------------------------------------------------------------------------\n    Of the four agencies, the Department of Defense had made the most \nprogress addressing the risks. Specifically, the Department\'s supply \nchain risk management efforts began in 2003 and included:\n  <bullet> a policy requiring supply chain risk to be addressed early \n        and across a system\'s entire life cycle and calling for an \n        incremental implementation of supply chain risk management \n        through a series of pilot projects;\n  <bullet> a requirement that every acquisition program submit and \n        update a ``program protection plan\'\' that was to, among other \n        things, help manage risks from supply chain exploits or design \n        vulnerabilities;\n  <bullet> procedures for implementing supply chain protection \n        measures, such as an implementation guide describing 32 \n        specific measures for enhancing supply chain protection and \n        procedures for program protection plans identifying ways in \n        which programs should manage supply chain risk; and\n  <bullet> a monitoring mechanism to determine the status and \n        effectiveness of supply chain protection pilot projects, as \n        well as monitoring compliance with and effectiveness of program \n        protection policies and procedures for several acquisition \n        programs.\n    Conversely, our report noted that the other three agencies had made \nlimited progress in addressing supply chain risks for their information \nsystems. For example:\n  <bullet> The Department of Justice had defined specific security \n        measures for protecting against supply chain threats through \n        the use of provisions in vendor contracts and agreements. \n        Officials identified: (1) A citizenship and residency \n        requirement and (2) a National security risk questionnaire as \n        two provisions that addressed supply chain risk. However, \n        Justice had not developed procedures for ensuring the effective \n        implementation of these protection measures or a mechanism for \n        verifying compliance with, and the effectiveness of these \n        measures. We stressed that, without such procedures, Justice \n        would have limited assurance that its Departmental information \n        systems were being adequately protected against supply chain \n        threats.\n  <bullet> In May 2011, the Department of Energy revised its \n        information security program, which required Energy components \n        to implement provisions based on NIST and Committee on National \n        Security Systems guidance. However, the Department was unable \n        to provide details on implementation progress, milestones for \n        completion, or how supply chain protection measures would be \n        defined. Because it had not defined these measures or \n        associated implementing procedures, we reported that the \n        Department was not in a position to monitor compliance or \n        effectiveness.\n  <bullet> Although its information security guidance mentioned the \n        NIST control related to supply chain protection, DHS had not \n        defined the supply chain protection control activities that \n        system owners should employ. The Department\'s information \n        security policy manager stated that DHS was in the process of \n        developing policy that would address supply chain protection, \n        but did not provide details on when it would be completed. In \n        the absence of such a policy, DHS was not in a position to \n        develop implementation procedures or to monitor compliance or \n        effectiveness.\n    To assist Justice, Energy, and DHS in better addressing IT supply \nchain-related security risks for their Departmental information \nsystems, we made 8 recommendations to these 3 agencies in our 2012 \nreport. Specifically, we recommended that Energy and DHS:\n  <bullet> develop and document Departmental policy that defines which \n        security measures should be employed to protect against supply \n        chain threats.\n    We also recommended that Justice, Energy, and DHS:\n  <bullet> develop, document, and disseminate procedures to implement \n        the supply chain protection security measures defined in \n        Departmental policy, and\n  <bullet> develop and implement a monitoring capability to verify \n        compliance with, and assess the effectiveness of, supply chain \n        protection measures.\n    The 3 agencies generally agreed with our recommendations and, \nsubsequently, implemented 7 of the 8 recommendations. Specifically, we \nverified that Justice and Energy had implemented each of the \nrecommendations we made to them by 2016. We also confirmed that DHS had \nimplemented 2 of the 3 recommendations we made to that agency by 2015.\n    However, as of fiscal year 2016,\\19\\ DHS had not fully implemented \nour recommendation to develop and implement a monitoring capability to \nverify compliance with, and assess the effectiveness of, supply chain \nprotections. Although the Department had developed a policy and \napproach for monitoring supply chain risk management activities, it \ncould not provide evidence that its components had actually implemented \nthe policy. Thus, we were not able to close the recommendation as \nimplemented. Nevertheless, the implementation of the 7 recommendations \nand partial implementation of the eighth recommendation better \npositioned the 3 agencies to monitor and mitigate their IT supply chain \nrisks.\n---------------------------------------------------------------------------\n    \\19\\ GAO reviews agency actions to implement its recommendations \nand may decide to close a recommendation as not implemented if an \nagency has not implemented the recommendation within 4 fiscal years of \nGAO making the recommendation. Fiscal year 2016 was the fourth fiscal \nyear after GAO made the recommendations to DHS in its March 2012 \nreport.\n---------------------------------------------------------------------------\n    In addition, we reported in March 2012 that the 4 National \nsecurity-related agencies had participated in interagency efforts to \naddress supply chain security, including participation in the \nComprehensive National Cybersecurity Initiative,\\20\\ development of \ntechnical and policy tools, and collaboration with the intelligence \ncommunity. In support of the cybersecurity initiative, Defense and DHS \njointly led an interagency initiative on supply chain risk management \nto address issues of globalization affecting the Federal Government\'s \nIT. Also, DHS had developed a comprehensive portfolio of technical and \npolicy-based product offerings for Federal civilian departments and \nagencies, including technical assessment capabilities, acquisition \nsupport, and incident response capabilities. The efforts of the 4 \nagencies could benefit all Federal agencies in addressing their IT \nsupply chain risks.\n---------------------------------------------------------------------------\n    \\20\\ Begun by the Bush administration in 2008, the Comprehensive \nNational Cybersecurity Initiative is a series of initiatives aimed at \nimproving cybersecurity within the Federal Government. This initiative, \nwhich is composed of 12 projects with the objective of safeguarding \nFederal Executive branch information systems, includes a project \nfocused on addressing global supply chain risk management.\n---------------------------------------------------------------------------\n    In summary, the global IT supply chain introduces a myriad of \nsecurity risks to Federal information systems that, if realized, could \njeopardize the confidentiality, integrity, and availability of Federal \ninformation systems. Thus, the potential exists for serious adverse \nimpact on an agency\'s operations, assets, and employees. These factors \nhighlight the importance and urgency of Federal agencies appropriately \nassessing, managing, and monitoring IT supply chain risk as part of \ntheir agency-wide information security programs.\n    Chairmen King and Perry, Ranking Members Rice and Correa, and \nMembers of the subcommittees, this completes my prepared statement. I \nwould be pleased to answer your questions.\n\n    Mr. King. You still had 17 seconds to go. Good job. Thank \nyou very much, Mr. Wilshusen.\n    I appreciate all of you being here today. I now recognize \nmyself for 5 minutes. A number of us on the panel believe that \nDHS should have powers similar to DOD, similar to section 806.\n    Now, I guess I would ask the three representatives from DHS \nhow that would strengthen you if similar legislation was \nadopted for DHS? But also, looking back on it, it appears that \nDOD was given this authority in 2011, did not issue regulations \nuntil 2015, and I don\'t even know if they have begun to \nimplement them yet. So if this authority is given to you, how \nquickly would you be able to implement it and how would it \nimprove your capabilities? Ms. Correa.\n    Ms. Correa. So, sir, I have looked at the authority, and I \nhave also looked at the proposal that has been put before--the \nlatest legislative proposal. We would act very quickly and \nswiftly to implement.\n    We would look at our business process to see how we can \nimmediately train our staff and ensure that they have a full \nunderstanding of what this authority grants us to do, and we \nwould issue immediate guidelines and instructions, including to \nour employees but also to share with industry, on how we would \nuse that authority. But the very specifics, the time line, I \nwould have to go back and look at how quickly we could actually \nimplement.\n    Mr. Zangardi. Sir, thank you. I concur with Soraya. The \nneed for this type of capability or authority is important from \na CIO\'s perspective. My responsibility that I have to take \nunder consideration and work very hard every day is the \nsecurity of the DHS network, just not for the headquarters but \nfor the components.\n    Having the ability to react swiftly to make the right \ndecisions with removal of network systems or IT systems that \nare threatening is very important for us in carrying out our \nmission. We will work very closely with the intelligence \ncommunity and NPPD on tippers, so we know what is going on. My \nteam will do the technical assessment and talk very closely \nwith the chief procurement officer, to make sure the lines of \ncommunication and what we are doing is very clear and \nunderstandable.\n    Mr. King. Ms. Manfra.\n    Ms. Manfra. The only thing I would add is to just note that \nthe administration proposal would be for this authority to be \ngranted Government-wide. So in addition to DHS having this \nability, we want all of the Executive branch to be able to have \nthis authority and this capability.\n    Mr. King. This is I guess the open question to you. Do you \nhave sufficient personnel on board now to carry out your \nmission?\n    Ms. Correa. I am sorry. The question was? I want to make \nsure I understood the question.\n    Mr. King. Do you have sufficient personnel on board now to \ncarry out this mission?\n    Ms. Correa. To carry out this mission? From a procurement \nperspective, the answer is yes, because we would be relying on \nour contracting officers, our policy and legislative team, who \nactually implement any accompanying guidelines. We put out \nguides. We do this on a very regular basis. So the answer is \nyes, we have the staff that can do this right now.\n    Mr. King. Doctor.\n    Mr. Zangardi. Sir, from a CIO perspective and with regards \nto my mission for protecting the DHS network, I feel that I \nhave sufficient folks on board in my shop. I also feel that the \ncommunication between the technical folks and my CISO shop and \nthe component chief information security officers and CIOs is \nmore than adequate to carry this out.\n    Mr. King. Ms. Manfra.\n    Ms. Manfra. Our role would be different in that we wouldn\'t \nnecessarily be in charge of implementing this authority for the \nDepartment. We are looking across the Federal Government and \nbuilding an initiative to ensure that supply chain risk \nassessments are being done, that we are following up and \npotentially providing continuous monitoring.\n    We have just started building that program, as noted. We \ncurrently do only have 2 people solely identified for that, but \nwe are building that program and were recently appropriated \nsome additional program dollars. So that program will be built \nover the next 2 years to get to full capacity.\n    Mr. King. I am down to 40 seconds. Mr. Wilshusen, based on \nyour studies of the departments, including DHS, over the years, \nif we did give 806 authority to DHS, how long do you think it \nwould take them to implement it?\n    Mr. Wilshusen. That I wouldn\'t know exactly, but I would \nsay that one of the key things with the 806 authority given to \nDHS is making sure that this committee and GAO and/or the \ninspectors general have an opportunity to review the process \nand the procedures that the Department implements in order to \neffect that particular capability and authority that it has. It \nis just making sure that one is able to review what DHS does in \nimplementing it and making sure it is done in accordance with \nthe law.\n    Mr. King. Thank you. Miss Rice.\n    Miss Rice. Thank you, Mr. Chairman.\n    Ms. Correa, I would like to start with you. This hearing is \nabout some of the threats we face from adversarial foreign \ngovernments. I think in order to counter these threats, we must \nfirst fully acknowledge them and their intentions. So, with \nthat in mind, do you agree with the intelligence community\'s \nJanuary 2017 assessment and the Senate Intelligence Committee\'s \nfindings that Russia interfered in the 2016 election to benefit \nthe Trump campaign?\n    Ms. Correa. So, ma\'am, I am not intimately familiar with \nthat information. What I can tell you is that I agree that we \nhave to have the authorities in place----\n    Miss Rice. OK, I have to stop you there.\n    Ms. Correa. OK.\n    Miss Rice. In your position, you are saying you can\'t \nanswer this question?\n    Ms. Correa. Not directly, no, ma\'am.\n    Miss Rice. How about indirectly?\n    Ms. Correa. That is what I was trying to do. That I believe \nwe have to have the mechanisms in place to address these \nvulnerabilities and ensure that the threat assessments, the \nrisks, the vulnerabilities are properly addressed through the \nprocurement process.\n    Miss Rice. You are the chief procurement officer for the \nDepartment of Homeland Security, and you do not have an opinion \nabout whether the Senate Intelligence Committee\'s findings and \nthe entire intelligence community\'s findings that Russia \ninterfered with the 2016 election to support President Trump, \nyou have no opinion about that?\n    Ms. Correa. Ma\'am, unfortunately, no, not with respect to \nthis.\n    Miss Rice. That is frightening, frightening to me.\n    How about you, Doctor?\n    Mr. Zangardi. Yes, ma\'am. Thank you for the opportunity to \nrespond.\n    Miss Rice. Yes or no, do you agree with the findings?\n    Mr. Zangardi. Ma\'am, I am here to testify on this \nauthority.\n    Miss Rice. No, you are here to answer questions. You are \ntalking about actions that all of you are taking on behalf of \nthe Department of Homeland Security regarding interference, \nwhether it is procurement process or whatever it is. If we \ncan\'t get people here, all four of you, to acknowledge that \nthere was interference in the 2016 election, none of you should \nbe in the positions that you are in to protect us in 2018 or \n2020.\n    So yes or no, do you have an opinion about whether Russia \ninterfered in the 2016 election, yes or no?\n    Mr. Zangardi. Ma\'am, my responsibility is to protect the \nDHS network----\n    Miss Rice. Your responsibility is to answer the question. \nYes or no? Say no.\n    Mr. Zangardi. Ma\'am, I do not have an opinion.\n    Miss Rice. You have no opinion. Again, frightening.\n    OK, let\'s move on to Ms. Manfra. Yes or no, do you agree \nwith the opinion of the entire intelligence----\n    Ms. Manfra. I agree with the intelligence community \nassessment, ma\'am, and I have said so publicly previously.\n    Miss Rice. Thank you.\n    Mr. Wilshusen. I would also have to agree with the \nIntelligence Committee, but, again, I haven\'t examined it.\n    Miss Rice. I appreciate your willingness to answer a \nquestion that everyone on the panel should be able to answer.\n    Despite warnings from the Federal Communications \nCommission, the Department of Commerce, the Department of \nDefense, and other intelligence agencies, President Trump \npublicly expressed support for the Chinese telecommunications \ncompany ZTE.\n    Ms. Correa, I will start with you. Have you discussed your \nconcerns with the Chinese telecommunications companies with \nPresident Trump?\n    Ms. Correa. No, ma\'am, I have not had any discussions with \nthe President.\n    Miss Rice. Have you discussed it with the Secretary of the \nDepartment of Homeland Security?\n    Ms. Correa. No, ma\'am. No, I have not.\n    Miss Rice. You are the chief procurement, head of \nprocurement?\n    Ms. Correa. That is correct.\n    Miss Rice. Again, a frightening, frightening answer. Do you \nthink you should speak to her about that?\n    Ms. Correa. Ma\'am, I work in conjunction with my colleagues \nand look at what the risks are----\n    Miss Rice. OK. So again, you are not going to answer the \nquestion.\n    Doctor, how about you, have you had any discussions about--\n--\n    Mr. Zangardi. No.\n    Miss Rice. Do you have any concerns about the President\'s \napproach to ZTE, whatever his motivations are? We don\'t even \nhave to go into them. Do you, in your position, have concerns \nabout the President\'s stated position about ZTE, yes or no?\n    Mr. Zangardi. Ma\'am, I have made sure that the network has \nno ZTE equipment on it.\n    Miss Rice. OK. So I am going to answer for you. That would \nbe yes, you do have concerns?\n    Mr. Zangardi. Ma\'am, my responsibility is for the network \nfor DHS. I have ensured that the appropriate steps have been \ntaken to preclude the use of equipment----\n    Miss Rice. So is there a reason why you can\'t say, answer a \nquestion in a way that might come across as being critical of \nthe President? Is there a reason? Because I have never heard an \ninability from Ms. Correa and you to answer a simple yes-or-no \nquestion. So I am just wondering why you can\'t or won\'t.\n    Mr. Zangardi. Ma\'am, my position is to work and ensure that \nthe network is safe every day, and that is what I do.\n    Miss Rice. OK. What is frightening to me is that people \nlike you are in the positions that you are in, who will not \nmake statements of fact that everyone in the intel community \nhas made.\n    Mr. Chairman, I thank you for your indulgence. I want to \nthank at least the 2 of you for being willing to answer what I \nthink is a pretty simple question.\n    Thank you, Mr. Chairman.\n    Mr. King. Thank you, Miss Rice.\n    Without getting into a debate--we can have it--first of \nall, it was not only composed of the intelligence community. It \nwas the FBI and the CIA and DNI agreed in part. The other 14 \ndid not take a position. There are legitimate questions about \nthe extent of the involvement. I have no doubt there was \nmeddling. We can debate it in another forum.\n    But having been through 65, 70 witnesses on the \nIntelligence Committee on this, it is not as clear as you may \nthink as far as who they were favoring. There is no doubt there \nwas meddling. But, again, it was only Brennan and Comey who \nagreed in full with that recommendation.\n    Mr. Perry.\n    Mr. Perry. Thanks, Mr. Chairman.\n    I thank the witnesses for their testimony in answering some \nquestions for us here. We are trying to get to the process, I \nthink, and understand the process that you all go through and \nthen find out how we, from a legislative and policy standpoint, \ncan support your efforts. I think all of us, regardless of our \npolitical affiliation, don\'t want us to be on defense, don\'t \nwant us to be reactive, want us to be proactive. I think that \nis what we are trying to get to. So I am trying to understand, \nand so my questions will be in that vein.\n    I am wondering what the DHS does to recognize and address \nthat might already exist from products that are currently \nimplemented or being used by the Department. How does that \nprocess work? Is there a continual reevaluation? I am thinking \nin the context of, you know, I have got two of these things and \nI have got a couple iPads and then desktop computers. I don\'t \nknow what the schedule is, but on a pretty regular basis, you \nknow, you have got to put in your code and update the software \nand all that stuff.\n    I will be honest with you, I have no idea what is happening \nin there. Something\'s happening, right? But I am hoping that \nyou folks do and deal with that, and I am trying to understand \nhow that works. If any one of you can answer that question, you \nknow.\n    Mr. Zangardi. So, sir, you know, the current IT \nenvironment, as mentioned by another witness, is global. It is \ncomplicated. It is characterized by mergers and acquisitions in \nan ever-changing territory. So we have to work very hard to \ndeal with that. So intelligence tippers is really a key way in \nwhich we start the process. But more importantly, backing up \nwithin the whole acquisition process, we have to be involved at \nthe very beginning as the program is being looked at to \ndetermine what systems, hardware components, software are going \nin there. Then we have developed a set of questions that have \nto be answered by every program.\n    We have also in our 4300A handbook developed a requirement \nfor the components and the programs to develop policies related \nto supply chain management. So we have put those in place. My \nchief technical officer also vets all software against the \nState Department Committee on Foreign Investment in the United \nStates. So these are embedded in the process as we are going \ntoward to build something out.\n    So when we are notified about a risk, we look at it very \nclosely from a technical point of view and determine if it is \nsomething that we should mitigate or remove. Removal takes \ntime. It isn\'t an overnight process. So mitigation might \ninvolve something simple, like setting configurations or \nsettings on a firewall.\n    My ESOC, or my Enterprise Security Operation Center, \nmonitors this on a daily basis, looking for proxy signals. They \nmonitor it daily and they will tip off if they find anything. \nWe also do scans of our network and review the logs to ensure \nthat nothing is, you know, askew. We work very closely with the \nCISOs and the component CIOs to ensure that the communication \nand standards are set.\n    I think part of your question deals with making sure that \npatches and other things are done to make sure the network is \nmodern and upgraded to the current standards.\n    I view cyber hygiene as part and parcel of what I do. What \nI mean by cyber hygiene is ensuring that we are moving to \nmodern operating systems, that our patching is done up to date \nand as soon as possible, and we are doing things like two-\nfactor authentication and PKI.\n    Mr. Perry. A lot of this is pretty technical for all of us, \nand we just--I hate to say it, but we are counting on you folks \nto have the technical expertise that is necessary.\n    Just out of curiosity, is DHS using software products with \nRussian-based security codes, such as Kaspersky, NGINX, Nordic \nANT, Oxygen. I know I see a U.S. Secret Service request for \nDHS, 20 licenses from Oxygen, which is a Russian-based company. \nI am wondering, as a matter of protocol, does DHS look into--I \nimagine but I just want to be sure--relationships with the \nRussian government and--well, I will just leave it at that. If \nyou can answer those questions.\n    Mr. Zangardi. So, sir, we do, and we take that into account \nas part of our technical assessment.\n    Mr. Perry. Wait. You use those?\n    Mr. Zangardi. No, sir. You asked if I take that into \naccount.\n    Mr. Perry. OK. Yes, I just want to be clear. Right.\n    Mr. Zangardi. Yes, sir. So we take it into account. To make \nsure that it is part of our technical assessment, we consider \nthe leadership of companies, where the company is based, those \nsort of qualitative factors, if you will.\n    Mr. Perry. Do you know if you use any of the companies that \nI listed?\n    Mr. Zangardi. So, sir, I would have to take some of that as \na QFR. For companies like Huawei----\n    Mr. Perry. If you could, please, I would like to----\n    Mr. Zangardi. We do not have any Huawei or ZTE.\n    Mr. Perry. I am happy to know that. Let me ask you this: Do \nyou have a--does DHS have a requirement for the companies that \nyou procure from that determines what security standard they \nhave? Somebody is writing the code. Somebody is building the \npiece of equipment.\n    Does DHS have a requirement? Is there a minimum standard, a \nminimum security standard, background checks, et cetera, for \nthe vendors or the producers? Is that something that is a part \nof what you do, Ms. Correa?\n    Ms. Correa. Yes. Yes, sir. We actually vet the vendors, and \nwe do have security standards that are specified in the actual \nsolicitation as well as we include cyber hygiene clauses that \nare in the contracts and solicitations, as determined by the \nprogram offices and the CIO for inclusion that identify the \ndifferent documentation and the standards that they have to \nmeet, the training that they have to take, and the documents \nthat they have to submit for us to validate that they are \nmeeting the security standards.\n    Mr. Perry. So one final question, with the Chair\'s \nindulgence. I wonder why it took so long to identify Kaspersky \nas a risk. It seemed to me--look, I come from Pennsylvania \nState government. We used Kaspersky throughout the State \ngovernment as our security vendor, and through the complaints \nwe kept using it until finally the Federal Government said, \nhey, there is a problem here. What took so long?\n    Ms. Manfra. I can take that one, sir. I can\'t comment in \ndetail about maybe why it took so long. I can tell you for when \nI was in my position, we looked in--and working with our \nintelligence analysis, looked into all the available \ninformation, both Classified and unclassified. It just came to \na point that this was not a risk that we were willing to accept \non our networks, and that is when we began the process of \nidentifying tools available to remove them from our networks, \nand that led to the binding operational directive.\n    Mr. Perry. So from a layman\'s standpoint, and I will close \nwith this, it seems to me that people like me would think as \nsoon as you see anything questionable, as soon as you see \nanything questionable from a country like Russia, China, Iran, \nor whatever that we are buying things like this from, that is a \nproblem and we should terminate it. But I will close with that.\n    Thank you, Mr. Chair, and I yield.\n    Mr. King. I would just join the gentleman in saying I know \nfor a number of years we were hearing about Kaspersky, and I \ncould never understand why we retained them, but in any event.\n    Mr. Correa, you are recognized.\n    Mr. Correa of California. Thank you very much. I only have \n5 minutes here, so let me try to be succinct and I would \nappreciate succinctness of your answers to my questions.\n    But, you know, recently the administration seems to have \nchanged its position on Huawei and ZTE. Does that change your \nperspective, your view on the security threat that these \nproducts pose on the supply chain? Meaning are we OK to buy \nthem now? Are you going to buy them, or does this not change \nyour perspective on the threat of ZTE and Huawei to our \nNational security?\n    Ms. Manfra. Sir, I am not exactly sure what you mean by \nchanging positions. If you are referring to the Commerce act on \nZTE----\n    Mr. Correa of California. Yes.\n    Ms. Manfra. So that is specific to ZTE, not Huawei. I would \nsay, similar to what we discussed with Kaspersky, what we are \nlooking at is less about the company and more about the laws \nthat that company is compelled to follow. Both Chinese and \nRussian laws compel access that we are concerned about. So what \nwe are doing is a risk assessment on companies that are subject \nto those laws and looking at the tools that we have available \nto us to address that risk.\n    Mr. Correa of California. So when you say we are looking at \nthe risk assessment, what would change of that risk assessment? \nIt is my understanding that certain countries, Russia and China \nbeing two, are generally their style of economy, so to speak. \nThose companies are essentially controlled or are accountable \nto their central government. So that model of operating would \nnever change, at least not in the short term.\n    So, I am trying to figure out, is I guess our \nclassification of ZTE would change, what would change in your \nassessment of that company in how we would do business with \nthem in the United States?\n    Ms. Manfra. I want to separate the Commerce action on ZTE, \nwhich was a specific action for something that they violated, \nfrom our work in assessing risk. We can walk through some more \ndetails in the closed session. But just at a high level, we are \nlooking at risk both now and in the future.\n    Mr. Correa of California. Let me pull back, given we will \ngo through that in closed session. But a bigger general \nquestion is, mitigation versus removal. Chain of command. You \nall operate under a chain of command, I presume. There are \ncertain issues you need to bring forth to the committee, \nindividuals that can respond to give you authority and so on \nand so forth, respond to your concerns.\n    Do you have the ability to jump above the chain of command \nshould you feel that your issues are not being addressed to \nbring your concerns forth?\n    Ms. Manfra. I haven\'t experienced that. I have the full \nsupport of the Secretary.\n    Mr. Correa of California. The same question to all of you, \nyes/no also?\n    Mr. Zangardi. Yes, sir, I feel that I have the full support \nof the Secretary, and if there is an issue I can go up the \nchain of command. In fact, I have a dual reporting chain to the \nSecretary and to the under secretary for management.\n    Mr. Correa of California. Ms. Correa.\n    Ms. Correa. Similar to Dr. Zangardi. We are in the same \nreporting chain. So I report to the under secretary for \nmanagement, who reports to the Secretary, and we do have the \nability to raise concerns on any procurement-related matters.\n    Mr. Correa of California. Would you say that your concerns \nare responded to affirmatively, meaning they are addressed?\n    Ms. Correa. Yes. I can say yes, that my concerns are \naddressed.\n    Mr. Zangardi. Yes, sir.\n    Ms. Manfra. Yes, sir.\n    Mr. Wilshusen. I am with GAO, and I certainly have the--can \ngo up to the Comptroller General if I have a concern about any \nissue, but I haven\'t had that yet.\n    Mr. Correa of California. I only have less than a minute \nand I wish I could delve into this a little bit more. But I \nguess my concern in the back of my head here I am thinking \nmitigation versus removing. You know what countries pose a \nthreat. You know geopolitically the challenges out there. They \nare not new. They continue to be what they are.\n    So, to me, if you have a bad actor that has acted poorly or \nbadly in the past, mitigation versus removing, I am not sure \nwhat the difference would be or why we would go back to dealing \nwith certain firms, knowing the threats that they present to \nour country.\n    I have only 15 seconds. Let me make a closing statement and \nthen you can answer, which is, you know, a lot of the stuff \nthat has been going on, my thought in the back of my mind, at \nwhat point do these intrusions by these foreign governments \nrepresent a declaration of war on our country or not? Because a \nlot of the stuff they are doing is, you know, essentially \nposing a threat to us either today or in the future.\n    If you have any comments, Mr. Chair, I am going to stop my \ncomments, but I would like to see if anybody can address my \ncomments.\n    Mr. Zangardi. Sir, I would like to address the mitigation \nversus removal. So I am going to specifically talk to \nmitigation. That is preferred. Now, when we say mitigation, we \nare not talking about continued procurement of the particular \nhardware or software. What we are talking about is looking at \nit and going, oh, is the threat major or minor? Are there \nsimple changes that I can make to some protocols or firewall \nsettings that preclude it from doing whatever it was going to \ndo? Then eventually remove it. Remember, everything has to be \nbalanced in a cost-benefit sort-of equation. So if you could \npreclude it from being a threat with a simple mitigation, that \nis the preferred course of action.\n    Mr. King. The gentleman\'s time has expired. Anybody else \nhave anything on this? No, OK.\n    Mr. Donovan.\n    Mr. Donovan. Thank you, Mr. Chairman.\n    I am a little bit older than Chairman Perry, so I really \ndon\'t understand this. I am not as old as Chairman King, but I \nam older than Chairman Perry. I am sure every one of these \nincredibly intelligent young folks behind you know a whole lot \nmore about this than all of us combined. I was told once that \nthere is more capability in this little machine than we had \nwhen we put a man on the moon in 1969. It is just amazing to \nme.\n    So, knowing that these items, whether it be a phone, \nwhether it be a 9-1-1 system, the component parts are made \nelsewhere, sometimes they are even put together elsewhere, do \nwe have in place something that will secure our security before \nwe find a vulnerability, or do we wait for something to happen \nbefore we realize there is a problem with the 9-1-1 system in \nNew York City or an iPhone that is being used by a Member of \nCongress?\n    Mr. Zangardi. So, sir, it is impossible to build a perfect \ndefense. So we take prudent precautions to develop a security \ninfrastructure that protects us against known and anticipated \nthreats. We put that in place by looking at intelligence. We \nput that in place by understanding the technology.\n    I will take it a step further. Every time we sit down with \na company--and we do meet with a lot of companies--we ask them \nabout their supply chain management process, because what you \nare talking about is it is a global marketplace and for that \nphone you have there, the parts come from many different \ncountries. So we have to understand how those suppliers of the \nhardware and software we need are building out their product. \nSo that is an area we focus on.\n    As I mentioned earlier, we have procedures in our 4300 \ninstruction that the components have to put this in place. We \naddress this during the acquisition process by putting in place \nquestions that the program office has to answer. My chief \ntechnical officer and my chief information security officer are \nvery involved in the vetting of hardware and software \ncomponents that we procure.\n    Ms. Manfra. Sir, if I could just add, we model what we do \nin cybersecurity similar to what is practiced in physical \nsecurity. So you don\'t just think about defense on your \nperimeter. You think about putting a lot of different alerts \nand warning capability. You think about what happens if an \nindividual gets past one perimeter, how do we deal with them \nelsewhere? How do we secure very high-valuable assets in a \nhighly secure way, put resources toward that, extra protections \naround that? That is similar to what happens in cybersecurity; \nit just becomes very technical.\n    So there are a lot of different ways that as we learn about \nwhat an adversary might be doing that is not necessarily \nrelated to patching a specific vulnerability where we can put \nwhat we call compensating controls in place.\n    So if we know that an adversary leverages legitimate \ncredentials, so they steal somebody\'s password and username, \nfor example, say through spear phishing or something like \nthat--we know that is a very common way--that they will then \nmasquerade as a legitimate user on a network. So what we do is \nthen we design our network so they can\'t just move laterally \nacross the entire system and have access to everything.\n    We also put in place identity monitoring as part of the CDM \nprogram, so that we can see if there a user behaving in a way \nthat is not usual for that user to behave. That would alert a \nSOC, for example.\n    So there are a lot of different practices and technologies \nthat are in place that can monitor for this sort of behavior \nthat we can take action on. But, again, like Dr. Zangardi said, \nit is not perfect. You can never have that 100 percent \nsecurity. We just want to have a lot of layers, and we want to \nraise the cost for the adversary to get to those highest-value \ntargets that we are working to protect.\n    Mr. Donovan. I remember speaking with Jamie Dimon at \nJPMorgan, saying they are always concerned about the attack \nthat is already there laying dormant, not the ones that are \ntrying now, and thinking about if when this phone was made if a \ncomponent part was compromised and it is laying dormant in all \nof our phones right now and is that able to be detected. But I \nguess maybe we can talk about that in a closed setting as well.\n    Let me just ask, the Chairman was asking about 806 \nauthority. Are there any other authorities? I mean, we are \nlawmakers. We are supposed to listen to you, you are supposed \nto tell us what you need, and then we are supposed to help you \nget there.\n    Are there any other authorities that would help you to \nsecure, whether it be our equipment, our systems, that you \nwould like to see Congress pass?\n    Ms. Manfra. Congressman I can start with--no, I do not have \na laundry list. Of course, the committee has worked very hard \non the authorization for our Cybersecurity and Infrastructure \nSecurity Agency, which is a name change for our organization. \nWe are hoping that we can get that passed into law.\n    We have the administration\'s legislation proposal, which \nwould have the 806-like authority in addition to codifying \nsort-of the process by which the Department and other agencies \nwould be able to continuously share this information and act on \nit. So that full legislative proposal is really what we are \nlooking for.\n    Ms. Correa. I would like to add that I am encouraged by \nthat kind of legislation, because what I think is extremely \nimportant is that we have consistency across the Government in \nhow we apply our rules and how we are going to look at this \nprocess.\n    I did want to touch on one other thing when Dr. Zangardi \nwas speaking answering your previous question. We also include \nthe assessment of what the technologies are that they are \nusing, what the composition of the products are, and even the \nbackgrounds of the companies as part of the proposal evaluation \nprocess. So there is a process there where we do look at \ncompanies.\n    Mr. Donovan. Mr. Chairman, my time has expired, so I yield \nback the time that I don\'t have anymore.\n    Mr. King. Very generous of you.\n    I recognize the gentleman from Massachusetts, Mr. Keating.\n    Mr. Keating. Thank you, Mr. Chairman.\n    Yesterday, we had a hearing in full Committee on Homeland \nSecurity about what the Department is doing to try and help our \nlocal and State election apparatus to protect itself from a \ncyber attack. The attack was obviously the attack that our \nintelligence community has told us that President Putin, the \nRussian government, aspired to do and did, indeed, do against \nour country.\n    So I am sitting here and I am saying, we are trying to \nreach out to our local and State election commissioners or \nsecretaries of state, saying, we are here to help you prevent \nagainst this attack. We are the Department of Homeland Security \nand we have grants to do this.\n    So how could you possibly expect them to take it seriously, \nMs. Correa, if the chief procurement officer for the U.S. \nDepartment of Homeland Security, and Mr. Zangardi, as the chief \ninformation officer, sit here in a public committee the very \nnext day, the very next day, and are saying, well, we can\'t \ntell you this happened. How can that be taken seriously? What \ndo you say? Would you have that same comment to all our \nelection commissioners and secretaries of state and say, you \nknow, we can\'t tell you that that is happening? We are not \ngoing to publicly admit that. Ms. Correa? No, Ms. Correa.\n    Ms. Correa. OK. Sir, what I am here to do is try to \nidentify how we can safeguard the procurement process to ensure \nthat there are no bad actors out there and that we address any \nrisks of vulnerability.\n    Mr. Keating. You are not prepared to say who did it?\n    Mr. Zangardi. No, sir, I am not.\n    Mr. Keating. You know, I sat here through the last Congress \nwith many of my colleagues saying, boy, we can\'t go get these \nradical extremists unless we call them by name. But you are not \ncalling them by name, the people that gave a hostile attack on \nour country\'s democracy. It is the same thing I heard all \nthrough the last Congress.\n    It is just beyond me how we are being expected to be taken \nseriously, the Department is expected to be taken seriously \nwhen you won\'t even admit it publicly when we are trying to \nprevent, less than 4 months away, another attack.\n    I just have a question on ZTE now. Mr. Zangardi said, well, \nwe are not going to consider any ZTE products or apparatus. But \nI was listening to Ms. Manfra, who said, well, we really look \nat the technical side and we evaluate it from that, regardless \nof what the product would be, to see if it is safe.\n    Don\'t you think that it should be automatically excluded \nfrom any procurement, not because of the technical ability of \nthe product, but because they twice broke the law on sanctions \nagainst our country, again, with hostile countries like Iran, \nNorth Korea? Isn\'t that enough by itself to say, no matter how \nmuch it is technically reviewed, how much we feel comfortable \nwith it, can you sit here and say, we are not going to under \nany circumstances use any ZTE products for Homeland Security \nprocurement? Can you say that, Mr. Zangardi, without \nqualification?\n    Mr. Zangardi. So my intent is to keep ZTE hardware off our \nnetwork.\n    Mr. Keating. No, not your personal intent, but yes or no, \nyou are not going to do it. You are not going to use their \nproducts. They have twice broken the law.\n    Mr. Zangardi. We do not use their product and it is based \nupon a technical assessment.\n    Mr. Keating. Well, obviously, you are not using it now. But \nnow that things have changed, can you say you will exclude it, \nperiod, going forward?\n    Mr. Zangardi. So our decisions need to be based on risk and \nbased on a technical----\n    Mr. Keating. So it is not based on their actions. OK. I \nthink we need to separate the question.\n    Quickly, Mr. Wilshusen. The conclusion in your report dealt \nwith the serious adverse impacts in risks here. Can you give us \nlike what you think are among the most serious quickly? This is \npretty serious stuff.\n    Mr. Wilshusen. Sure. If an adversary is able to install \nmalicious software or hardware into an information system, they \nmay be able to extract or change, modify, even delete very \nsensitive information that may be residing on that system.\n    That, of course, depends upon the system and what type of \ninformation it contains on that system. That could be \npersonally identifiable information, proprietary information, \nor National security, public health----\n    Mr. Keating. National security and public health.\n    Mr. Wilshusen [continuing]. Related information.\n    Mr. Keating. Thank you. Thank you. That is something for us \nall to think very carefully about in relation to my prior \nquestions.\n    I yield back.\n    Mr. King. The gentleman yields back.\n    Unless there are further questions, that concludes the \npublic portion of the hearing. I ask unanimous consent that the \nsubcommittees now recess for a brief period and reconvene the \nhearing in a closed session, pursuant to House rule \nXI(2)(g)(2), and we plan to reconvene in HVC-302 in 10 minutes.\n    Without objection, the subcommittees will recess.\n    [Whereupon, at 11:17 a.m., the subcommittees proceeded in \nclosed session and subsequently adjourned at 12:28 p.m.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n   Question From Chairman Scott Perry for the Department of Homeland \n                                Security\n    Question. Is the Department of Homeland Security currently using or \nin the process of procuring any software products with Russian-based \nsource code (i.e. Kaspersky, NGINX, Nordacind, Oxygen)? If so, which \nones and for what purposes?\n    Answer. Response was not received at the time of publication.\n   Questions From Honorable James R. Langevin for the Department of \n                           Homeland Security\n    Question 1a. On April 24, Assistant Secretary Jeanette Manfra \ntestified before the Senate Homeland Security and Government Affairs \nCommittee that the surge in risk and vulnerability assessments for \nelections infrastructure created ``a significant backlog in other \ncritical infrastructure sectors and Federal agencies\'\' waiting for \nsimilar assessments. The President\'s 2019 budget did not request an \nincrease in resources sufficient to overcome this backlog.\n    Are more resources necessary to support the increased requests from \nState and local governments without delaying other assessments?\n    Answer. Response was not received at the time of publication.\n    Question 1b. What is the current RVA backlog? What is the prognosis \nfor that backlog over the next calendar year?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Based on the RVAs that DHS has carried out for State \nand local election officials, do most States and localities have the \nresources required to sufficiently mitigate their cybersecurity \nvulnerabilities (including equipment, staffing, training, and other \ncomponents that factor into security)?\n    Answer. Response was not received at the time of publication.\n    Question 2b. If not, how big is the shortfall?\n    Answer. Response was not received at the time of publication.\n    Question 3. In the guidance NPPD issued to election officials on \nhow to spend security funding, NPPD emphasizes the importance of \ndeploying auditable voting systems.\n    How important is it that States have auditable paper trails and \nconduct post-election audits to verify the digital tallies of election \nresults?\n    Answer. Response was not received at the time of publication.\n    Question 4. Much of DHS\'s mission requires close coordination with \nother agencies, especially with respect to cybersecurity.\n    How has the Department\'s ability to synchronize its cyber mission \nwith other agencies been affected by the elimination of the \nCybersecurity Coordinator position and the recent high rate of turnover \nat the National Security Council?\n    Answer. Response was not received at the time of publication.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'